Server-crashing Minecraft exploit published after game maker "failed to act"

Mojang, the game's creator, allegedly ignored warnings for almost a year.

(Image: Microsoft)

A security researcher has posted an exploit which could allow a hacker to crash Minecraft servers with ease.

In a blog post published Thursday, Ammar Askar said he informed the game's creator Mojang almost two years ago of the flaw, but was "ignored" or "given highly unsatisfactory responses."

Read this

With Mojang, Microsoft buys its fourth non-U.S.-based company in 2014

Microsoft has acquired its fourth non-.U.S. company this year with its purchase of Mojang, the creator of the Minecraft game, for $2.5 billion.

Read More

By exploiting a weakness in how the Minecraft server decompresses and parses data, the server will run out of memory under the extreme processor load.

"The fix for this vulnerability isn't exactly that hard," Askar wrote. He suggested, citing his initial communication with Mojang, that "some form of recursion and size limits should be implemented."

But that still hasn't happened, he says. Askar said he found the bug in version 1.6.2, released July 2013, but it still exists two major updates later in version 1.8.3.

Askar posted a proof-of-concept exploit to his GitHub page.

"I don't want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it," he wrote. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time."

Microsoft, which last year bought Mojang for $2.5 billion, did not immediately respond to comment.