Utilizing Minecraft as a Form of Covert Communication

The Minecraft Problem Nobody Talks About

Minecraft has 200 million active players worldwide. It's everywhere - schools, homes, internet cafes. And that ubiquity makes it interesting for security research. Not because it's vulnerable, but because it's normal. Nobody blinks when someone uploads a custom skin. Nobody monitors Minecraft traffic for hidden messages.

That's exactly what makes it useful for studying covert channels

How It Actually Works

Here's the breakdown:

Step 1: The Setup

• Player 1 embeds a secret message into their Minecraft character skin using MASC (Minecraft Avatar Steganography Channel) encoding

• The message gets hidden in the pixel data of a standard 64x64 PNG file

• Player 1 uploads this skin to Mojang's texture servers using their legitimate Minecraft account

Step 2: The Transfer

• Both players join the same Minecraft server

• Player 2 simply needs to know Player 1's username

• The server automatically displays Player 1's skin (with the hidden message) to Player 2

• No direct file transfer. No suspicious network traffic. Just normal Minecraft gameplay.

Step 3: The Extraction

• Player 2 uses a decoder script to extract the hidden message from the skin file

• The message appears in plain text, ready to read

The entire exchange looks like two people playing Minecraft. Because it is

The Technical Bits

MASC uses a custom steganographic algorithm built specifically for Minecraft's 64x64 PNG skin format. The technique exploits inefficiencies in how skin images are stored and transmitted through Mojang's servers.

At its core, the approach works by subtly modifying pixel values in ways that are invisible to the human eye but can be detected programmatically. Think of it like hiding a message in the static of an old TV - it's there if you know how to look for it, but casual observers won't notice anything unusual.

The process is straightforward:

Encoding: Your message gets converted to binary, then embedded into specific pixels of the skin file using the MASC algorithm. The result looks like any other Minecraft skin - same dimensions, same file format, visually identical to the original.

Transfer: Upload the modified skin to your Minecraft account through Mojang's official servers. When other players see your character in-game, they're downloading that skin from Mojang's CDN. No direct connection between sender and receiver. No suspicious file transfers.

Decoding: The receiver downloads your skin (either by seeing your character or fetching it via Mojang's API), runs it through the decoder, and extracts the hidden message.

Thank you to my colleagues Krunal Thumar and Sufyan Alsayeh, for the the practical demonstration