Sometimes, users will upload JVM crash logs, and these unfortunately contain the full list of arguments passed to the Java process. This can include the user's access token, which could allow malicious actors to play the game under their account for a short while.
We should either improve our issue reporting process to explain how to redact this information manually, or otherwise set up a small bot with our GitHub/Discord to automatically scan crash logs for sensitive information.
An example of the access token being leaked through the JVM crash log can be found below.
#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x000001a1c254ba80, pid=12692, tid=14452
#
...[snipped]...
Command Line: -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump [..snipped..] --uuid 6307f1759b8c4e00bda5e6a989e624c4 --accessToken d2h5ZGlkeW91dHJ5dG9yZXZlcnNldGhpcw...
Sometimes, users will upload JVM crash logs, and these unfortunately contain the full list of arguments passed to the Java process. This can include the user's access token, which could allow malicious actors to play the game under their account for a short while.
We should either improve our issue reporting process to explain how to redact this information manually, or otherwise set up a small bot with our GitHub/Discord to automatically scan crash logs for sensitive information.
An example of the access token being leaked through the JVM crash log can be found below.