myurl.me

Minecraft Forge includes an opt-in update checker that notifies players when mod updates are available. The MDK's example config used http://myurl.me/ as a placeholder, and many mod developers released their mods without changing it.

Modpacks with affected mods would spam version check errors on startup. The domain was owned by a parking company, so Forge was inadvertently sending requests to a third party.

A fix proposed in July 2020 was rejected on the grounds that the error was "intentional" to encourage developers to fill in their info. I tried to buy the domain, but it was listed at nearly $5,000 and my inquiry went unanswered.

Forge eventually addressed it that December, updating the MDK and adding a skip for mods using the old URLs.

Three years later, the domain expired. I won it at auction for $23.98 and kept it reserved until I was able to complete this site.

On December 9, 2021, Log4Shell was disclosed, a critical RCE vulnerability in log4j. Minecraft uses log4j, and the Forge VersionChecker logs response data through it, making anyone who controls the update URL capable of executing arbitrary code.

Had a malicious actor owned this domain, every client checking for updates could have been compromised. Fortunately, I acquired it in 2023, closing this attack vector.

This site serves two purposes. For browsers, you're reading the history. For Minecraft clients still running affected mods, it returns valid JSON that displays a warning in-game.

In the last 24 hours 1,237 requests have hit this endpoint, roughly 52 per hour. Many potentially still vulnerable to Log4Shell.