Today a security researcher has published an exploit which hackers can take advantage of to crash Minecraft servers. Apparently the researcher kept on warning Mojang, the game’s creator, about this exploit but after being ignored multiple times he decided to go ahead and publish it. Mojang allegedly ignored his warnings for up to an year before he ultimately decided to make the exploit public.
Ammar Asker, the researcher, writes in a blog post today that he actually told Mojang about this exploit nearly two years back but he was either “ignored” or “given highly unsatisfactory responses.”
The exploit uses a vulnerability in the way the Minecraft server decompresses and parses data, when this vulnerability is exploited it can cause the server to run out of memory under significantly high processor load.
According to Askar the fix isn’t that hard and requires some form of “recursion and size limits,” which when implemented could mitigate the risk. Despite his repeated warnings Mojang didn’t fix it.
He says that he discovered the bug in version 1.6.2 which was released in July 2013. It still exists after two major updates in version 1.8.3.
A proof-of-concept exploit has been posted by Askar on his GitHub page. Microsoft, which acquired Mojang in 2014 for some $2.5 billion, has not yet commented on Aksar’s claims.