You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Every Friday
GamesRadar+
Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.
Every Thursday
GTA 6 O'clock
Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.
Every Friday
Knowledge
From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.
Every Thursday
The Setup
Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.
Every Wednesday
Switch 2 Spotlight
Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.
Every Saturday
The Watchlist
Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.
Once a month
SFX
Get sneak previews, exclusive competitions and details of special events each month!
Developer Ammar Askar has revealed a serious vulnerability in Minecraft that will allow just about anyone to crash a hosting server. The security flaw results from the ability of the client to send information to the server about inventory slots; when used in conjunction with the NBT metadata storage format, users can send packets that are "incredibly complex for the server to deserialize but trivial for us to generate."
"The root of the object, rekt, contains 300 lists. Each list has a list with 10 sublists, and each of those sublists has 10 of their own, up until 5 levels of recursion. That’s a total of 10^5 * 300 = 30,000,000 lists," he explained. "And this isn’t even the theoretical maximum for this attack. Just the NBT data for this payload is 26.6 megabytes. But luckily Minecraft implements a way to compress large packets, lucky us! zlib shrinks down our evil data to a mere 39 kilobytes."
The killing stroke comes when the server decompresses that data and then tries to digest it. "When it attempts to parse it into NBT, it’ll create java representations of the objects meaning suddenly, the server is having to create several million java objects including ArrayLists," Askar wrote. "This runs the server out of memory and causes tremendous cpu load."
Askar said he was hesitant to reveal the flaw, but decided to go ahead because Mojang hasn't done anything to fix it despite being warned about it almost two full years ago. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands [of] people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he wrote. "In addition, it should be noted that giving condescending responses to white hats who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get developers dis-interested the next time they come across a bug like this."
In an update to his post, he noted that in the wake of his revelation, Mojang has identified the problem and attempted to fix it, but has thus far been unable to do so.
Update: Mojang has released a security update that takes Minecraft to version 1.8.4, which fixes the security vulnerability "in addition to some other minor bug fixes & performance tweaks." The update is fully compatible with all previous 1.8 releases, and Mojang strongly recommends that all players upgrade to the new version as soon as possible.
