UPDATED 10:20 EDT / APRIL 17 2015

User exposes Minecraft exploit after he said Mojang failed to act

minecraftAbout two years ago, a Pakistan-based developer named Ammar Askar discovered a vulnerability in Minecraft while he was working on mods for the block-building game. Askar says he informed Mojang AB of the problem, but after the studio failed to act on the information, he exposed the exploit on the internet, effectively forcing Mojang to come up with a fix. Yes, it’s essentially the premise to Live Free or Die Hard.

“I thought a lot before writing this post, on the one hand I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” Askar wrote on his blog. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands [of] people play on servers running their software at any given time.”

Askar explained that the vulnerability made it possible for users to crash Minecraft servers with relatively little difficulty by overwhelming them with nested lists of data. While the lists look simple to create, they can be complicated for the servers to read, eventually causing them to run out of memory and crash.

 

“They have a responsibility to fix and properly work out problems like this”

 

Asker points out that fixing the problem “isn’t exactly that hard,” and he even offered a couple of suggested solutions to Mojang when he discovered the flaw two years ago.

“They have a responsibility to fix and properly work out problems like this,” Askar wrote. “In addition, it should be noted that giving condescending responses to white hats who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get developers dis-interested the next time they come across a bug like this.”

After releasing the details of the exploit, Mojang quickly released a fix that solved the issue. Askar updated his blog noting the solution, saying that the studio informed him that a fix had been implemented in the past, but it apparently did not address the problem.

“In retrospect, a final warning before this full disclosure more recently was probably in order,” Askar wrote. “A combination of miscommunication and lack of testing led to this situation today, hopefully it can be a good learning experience.”

Image credit: Mojang AB (c)

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU