Mojang took two years to address Minecraft security flaw, says programmer

0
38

But it’s okay – they fixed other “arguably worse” ones too!

Minecraft developerMojang has addressed a serious security flaw following a blog post that publicly chastised the company for not responding to proof that a security flaw could cripple the game’s servers.

In July 2013, programmerAmmar Askar“responsibly and privately disclosed the problem” to the Minecraft team and asked for updates in “one month intervals over the course of 3 months”. Feeling “ignored or given highly unsatisfactory responses”, Askar broke his silence at the end of last week, frustrated that the vulnerability — which allows you to “crash any server, and starve the actual machines of the CPU and memory” — was not addressed despite two major updates and dozens of minor patches.

“I thought a lot before writing this post,” Askar wrote in his blog.“On the one hand I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act on it.”

“Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands of people play on servers running their software at any given time.”

In addition, it should be noted that giving condescending responses to white hats who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get developers dis-interested the next time they come across a bug like this.”

Within 24 hours of the story breaking onArs Technicalate last week, Mojang had addressed the problem, thewebsiteconfirming that latest update 1.8.4 addresses “a few reported security issues, in addition to some other minor bug fixes & performance tweaks.”

A caustictweetfrom Minecraft developer Nathan Adams noted that whilst “that” exploit is fixed in 1.8.4, “so areother (arguably worse) exploits.” So… that’s a good thing, I guess? I think?