Mojang fix Minecraft vulnerability that allowed players to crash servers
Coder openly details method after waiting two years for fix.
Mojang has issued an update for the PC version of Minecraft after a coder detailed an easy-to-manipulate vulnerability that allowed players to crash servers.
Pakistan-based developer Ammar Askar openly showcased the method via his blog last night after nearly two years of waiting for developer Mojang to respond (thanks, Ars Technica).
Askar first discovered the exploit back in July 2013, and promptly contacted Mojang so the studio could patch it out.
It took until a second message for Mojang to acknowledge his message, but the bug remained unfixed.
Askar gave up on contacting Mojang after sending two more messages. Now, nearly two years later, he decided the only way to draw attention to the issue was to reveal it openly and hope that Mojang would be forced to respond.
"The version of the game when the vulnerability was reported was 1.6.2, the game is now on version 1.8.3," he wrote.
"That's right, two major versions and dozens of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist.
The exploit works by flooding the game's servers with information about a particular inventory slot. Askar discovered that it was easy to create code that the game struggled to understand - to the point where the server would crash.
Since revealing the issue, Mojang has since been in touch and has finally published a fix.