Minecraft learns to its cost, it’s not good to ignore vulnerability reports

Graham Cluley

If a security researcher finds a vulnerability in your software, please don’t ignore them.

Instead, be grateful that someone who has found a flaw in your product has chosen to let you know about it, rather than selling it (for probably more cash than you’ll offer them as a bug bounty) to some nefarious ne’er-do-well who might use it to steal information from you, endanger your customers or cause you costly downtime.

This advice comes to mind again with news reports that a software developer discovered a way to crash Minecraft-hosting servers… only to be ignored by the game’s developers for nearly two years.

Minecraft 600

EmailSign up to our newsletter
Security news, advice, and tips.

Ammar Askar has published details on his blog of a method through which he could bring down servers running the phenomenally popular online game.

Askar claims that he found a way to exploit a vulnerability in how Minecraft servers decompress and parse data, causing the server to run out of memory and fall over. Using lists within lists within lists, Askar was able to trip over Minecraft servers with a file that shrunk down to 36KB but required over 26 MBytes of memory to expand.

Lists within lists

The developer says that he informed Minecraft’s developers Mojang (since bought by Microsoft for $2.5 billion) in July 2013, and feels so frustrated with the lack of response that he has now decided to make the bug public:

“I responsibly and privately disclosed the problem to Mojang on 10th July, 2013. That’s nearly 2 years ago. I asked for updates in one month intervals over the course of 3 months and was ignored or given highly unsatisfactory responses. I kept my hopes up that the problem would be patched and checked the source code on new releases whenever I could.”

“The version of the game when the vulnerability was reported was 1.6.2, the game is now on version 1.8.3. That’s right, 2 major versions and dozens of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist.”

In addition, Askar has published proof-of-concept code which demonstrates the exploit:

“I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it. Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this.”

Although I can fully understand Askar’s frustration with the Minecraft flaw not being fixed, I’m not a fan of fully disclosing details of the flaw and providing code which others can use to exploit it.

In my opinion, a better approach would have been to try and interest the media in the flaw and see if they could pressure Minecraft’s developers into fixing the problem rather than potentially putting computer systems at risk.

Also, perhaps Askar could have given Mojang a final warning before going public. Reading his blog post it does sound as if the last time he contacted the developers was in October 2013.

Askar says that since first publishing his blog post, Mojang has been in touch and are working on a proper fix. Let’s all hope that the issue gets resolved promptly, and better systems are put in place in future to make sure serious bugs do not get ignored.

This article originally appeared on the Optimal Security blog.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.