It is interesting to see how massive games like Minecraft can be at the risk of getting shot down with server crashes, and it is even more interesting to find out that the developers have not done anything about a certain exploit for the same that has now lasted for around two years!
Ammar Askar, a Pakistan-based developer recently posted a detailed account of how the servers of Minecraft are vulnerable. He has reported on a massive exploit using which anyone can single-handedly crash the game’s servers – he has backed it up with a proof of concept.
During my poking around within the networking internals of Minecraft, I came across a fairly substantial problem that allowed anyone to send certain malformed packets and crash a server by running it out of memory.
What’s even more interesting is that he has been working on it since the time when the game’s build was 1.6.2 (it is 1.8.3 now) and ever since then neither did the developers fix it nor did they take the guy seriously – he claims.
You might think that the guy went overboard by disclosing the details on the internet but in his opinion there was no other way left to bring it to the attention of the developers:
I thought a lot before writing this post, on the one hand I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it.
He states that he tried contacting the developers on five occasions, but – it stuns me to know that – he was completely ignored.
Now that the exploit is public, Mojang has apparently contacted him:
With the release of this full disclosure I have actually made contact with Mojang and they are working to fix the issue. Apparently the initial fix they tried failed which indicates a lack of proper testing.
We haven’t shared the specifics of the Minecraft exploit on purpose but you can go here to read up on it.