Minecraft was the undisputed indie success story of 2010. The game with in 3 years of its launch became third most popular computer game of all time, following Tetris and Wii Sports. Recently, a security researcher posted an exploit that could allow a hacker to crash Minecraft servers with ease. Worrying!?
Ammar Askar observed the exploit allows attackers to send malformed packets that can crash the servers by exhausting its memory. The guy wasting no time informed the game’s creator Mojang immediately but his advise met with highly unsatisfactory response.
Aksar pointed out he had found the bug in version 1.6.2, released sometime in July 2013 and even after 2 years of further development, he still finds the bug in updated version 1.8.3.
I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” he wrote. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. The fix for this vulnerability isn’t exactly that hard, the client should never really send a data structure as complex as NBT of arbitrary size and if it must, some form of recursion and size limits should be implemented”, He added further.
After the researcher’s warning repeatedly fell on the deaf ears of the game’s creator – Mojang or it allegedly ignored the warnings, he decided to go ahead and make the exploit public.
To support his claims, Aksar has released proof-of-concept attack code that exploits the vulnerability to crash any server hosting the game.