If a security researcher finds a vulnerability in your software, please don’t ignore them.
Instead, be grateful that someone who has found a flaw in your product has chosen to let you know about it, rather than selling it (for probably more cash than you’ll offer them as a bug bounty) to some nefarious ne’er-do-well who might use it to steal information from you, endanger your customers or cause you costly downtime.
This advice comes to mind again with news reports that a software developer discovered a way to crash Minecraft-hosting servers… only to be ignored by the game’s developers for nearly two years.
Ammar Askar has published details on his blog of a method through which he could bring down servers running the phenomenally popular online game.
Askar claims that he found a way to exploit a vulnerability in how Minecraft servers decompress and parse data, causing the server to run out of memory and fall over. Using lists within lists within lists, Askar was able to trip over Minecraft servers with a file that shrunk down to 36KB but required over 26 MBytes of memory to expand.
The developer says that he informed Minecraft’s developers Mojang (since bought by Microsoft for $2.5 billion) in July 2013, and feels so frustrated with the lack of response that he has now decided to make the bug public:
“I responsibly and privately disclosed the problem to Mojang on 10th July, 2013. That’s nearly 2 years ago. I asked for updates in one month intervals over the course of 3 months and was ignored or given highly unsatisfactory responses. I kept my hopes up that the problem would be patched and checked the source code on new releases whenever I could.”
“The version of the game when the vulnerability was reported was 1.6.2, the game is now on version 1.8.3. That’s right, 2 major versions and dozens of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist.”
In addition, Askar has published proof-of-concept code which demonstrates the exploit:
“I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it. Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this.”
Although I can fully understand Askar’s frustration with the Minecraft flaw not being fixed, I’m not a fan of fully disclosing details of the flaw and providing code which others can use to exploit it.
In my opinion, a better approach would have been to try and interest the media in the flaw and see if they could pressure Minecraft’s developers into fixing the problem rather than potentially putting computer systems at risk.
Also, perhaps Askar could have given Mojang a final warning before going public. Reading his blog post it does sound as if the last time he contacted the developers was in October 2013.
Askar says that since first publishing his blog post, Mojang has been in touch and are working on a proper fix. Let’s all hope that the issue gets resolved promptly, and better systems are put in place in future to make sure serious bugs do not get ignored.
This article originally appeared on the Optimal Security blog.