A developer has exposed a vulnerability in Minecraft’s code that can crash any server hosting the game.
The easily triggerable exploit, which involves flooding the server with infinitely looping requests for information about a specific inventory slot, brings Minecraft to its digital knees and starves the machines of CPU and memory.
Rather alarmingly, it’s claimed that the vulnerability was privately revealed to Mojang almost two years ago, and that no action was taken by the developer at the time.
The coder who discovered the flaw, Ammar Askar, said he had made repeated attempts to draw Mojang’s attention to the bug, before giving up and taking the drastic measure of publicly revealing it on his blog. Ars Technica has the nitty gritty.
“The version of the game when the vulnerability was reported was 1.6.2, the game is now on version 1.8.3,” wrote Askar. “That’s right, two major versions and dozens of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist.”
The now publicly available and easily recreatable exploit has finally drawn the attention of Mojang, who have been in touch with Askar and issued a fix.