But it’s okay – they fixed other “arguably worse” ones too!
Minecraft developer Mojang has addressed a serious security flaw following a blog post that publicly chastised the company for not responding to proof that a security flaw could cripple the game’s servers.
In July 2013, programmer Ammar Askar “responsibly and privately disclosed the problem” to the Minecraft team and asked for updates in “one month intervals over the course of 3 months”. Feeling “ignored or given highly unsatisfactory responses”, Askar broke his silence at the end of last week, frustrated that the vulnerability — which allows you to “crash any server, and starve the actual machines of the CPU and memory” — was not addressed despite two major updates and dozens of minor patches.
“I thought a lot before writing this post,” Askar wrote in his blog. “On the one hand I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act on it.”
“Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands of people play on servers running their software at any given time.”
“In addition, it should be noted that giving condescending responses to white hats who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get developers dis-interested the next time they come across a bug like this.”
Within 24 hours of the story breaking on Ars Technica late last week, Mojang had addressed the problem, the website confirming that latest update 1.8.4 addresses “a few reported security issues, in addition to some other minor bug fixes & performance tweaks.”
A caustic tweet from Minecraft developer Nathan Adams noted that whilst “that” exploit is fixed in 1.8.4, “so are other (arguably worse) exploits.” So… that’s a good thing, I guess? I think?