Minecraft Exploit Published 2 Years After Mojang Failed To Fix

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
On the one hand, I think stuff like this needs to happen when developers don't fix their products after being given ample time to do so. On the other hand, it sucks for players now that anyone can exploit this. :(

Following the defacto standard procedure, I responsibly and privately disclosed the problem to Mojang on 10th July, 2013. That’s nearly 2 years ago. I asked for updates in one month intervals over the course of 3 months and was ignored or given highly unsatisfactory responses. I kept my hopes up that the problem would be patched and checked the source code on new releases whenever I could.
Click to expand...
 
That sucks, but they had a lot of time to address it. If they throw a bitch fit, I don't think they'll get a whole lot of support. More like Microsoft's old exploits - "Why didn't you fix it when you knew about it before it became a huge problem?".
 
Not surprised. The folks building Minecraft plugins were always more talented than anyone employed at Mojang, and everyone at Mojang was too busy appeasing the demands of whiny 10 year olds or else poorly copying the work of others.
 
Catalan said:
Not surprised. The folks building Minecraft plugins were always more talented than anyone employed at Mojang, and everyone at Mojang was too busy appeasing the demands of whiny 10 year olds or else poorly copying the work of others.
Click to expand...

And making millions.
 
I don't agree with any of this proper avenue stuff, publish exploits right away, tired of hearing oh we waited a long time. I have learned through decades of experience there is only one sure fire way to motivate action and is through need, and the bigger the company or success the longer it takes them to do anything. When an exploit hits a game dev fast, hard and open the game dev will react fast. Second typically exploits that are known about are known by a select few people and some of those people go the whole time exploiting. So if you keep it under wraps its still being abused its just most people don't know what they are getting hit with. A big reason openness works better is because it has been my experience that most software devs actually ignore knowledgable people. They think of them as a small niche squeaky wheel in their user base. But when the masses of people are posting on the forums and stuff is being discussed on blogs, forums, social media, etc... They are forced to answer.
 
So the exploit causes the game to crash? Who really cares, if Minecraft was stealing credit card details they would have been a lot more concerned.
 
Following the defacto standard procedure, I responsibly and privately disclosed the problem to Mojang on 10th July, 2013. That’s nearly 2 years ago. I asked for updates in one month intervals over the course of 3 months and was ignored or given highly unsatisfactory responses.
Click to expand...

The guy works on a plugin and made demands like that? I wouldnt deal with that fucker either. Who does he think he is? I get that he found an issue but frankly its a pretty damn mild issue. An exploit that can crash someones minecraft server that nobody but one guy knew about is not a very high issue on the food chain.
 
Disposed said:
The guy works on a plugin and made demands like that? I wouldnt deal with that fucker either. Who does he think he is? I get that he found an issue but frankly its a pretty damn mild issue. An exploit that can crash someones minecraft server that nobody but one guy knew about is not a very high issue on the food chain.
Click to expand...

Any exploit that can crash a server is not a mild exploit. Try playing in a game with one and having random people crash servers at will. Any kid who wants to rage quit and know it can now take the whole server down. If you have a serious troll they can just keep coming back and ruin a server so people quit going to that server.
 
rudy said:
Any exploit that can crash a server is not a mild exploit. Try playing in a game with one and having random people crash servers at will. Any kid who wants to rage quit and know it can now take the whole server down. If you have a serious troll they can just keep coming back and ruin a server so people quit going to that server.
Click to expand...

You missed the part about nobody knowing about it. 2 years and nobody knew besides this one bitter fuck. If it was actually happening if consider it an issue but it wasn't.
 
rudy said:
I don't agree with any of this proper avenue stuff, publish exploits right away, tired of hearing oh we waited a long time. I have learned through decades of experience there is only one sure fire way to motivate action and is through need, and the bigger the company or success the longer it takes them to do anything. When an exploit hits a game dev fast, hard and open the game dev will react fast. Second typically exploits that are known about are known by a select few people and some of those people go the whole time exploiting. So if you keep it under wraps its still being abused its just most people don't know what they are getting hit with. A big reason openness works better is because it has been my experience that most software devs actually ignore knowledgable people. They think of them as a small niche squeaky wheel in their user base. But when the masses of people are posting on the forums and stuff is being discussed on blogs, forums, social media, etc... They are forced to answer.
Click to expand...

From the other side: a reasonable and informed disclosure date is much better. The fact is, you don't want a company to "react fast" where fast means "today or tomorrow." That leads to poor quality patches, in the wild exploits spun up instantly, etc. You know when there's a big fiasco because a minor bug affects Windows update affects 1% of the users, resulting in thousands of machines crashing? Or when it's a significantly bigger issue because the patch is a rushed security patch and it affects more than 1% of users? Now, imagine every patch released was like that. On top of that, think of the times where a rushed patch is implemented, but the core flaw isn't fixed or new issues are exposed.

If you and they know about a critical issue where you've given enough timeline for the following, feel free to release, but there needs to be time for a few things to happen. One, the company in question has to identify the cause of the issue and a best way to fix it. Two, the company should look for existing evidence of the issue being used. Three, other areas of code should be analyzed for similar issues. Four, the patch should be rigorously tested on as many configurations as possible within the company's budget constraints to check for unexpected areas it impacts/causes other bugs. Five, the initial submitter and other partners should be given a chance to test the patch for evidence it fixes their system without adverse effects.

When those are followed, an issue that is found by a private researcher, but not in the wild, should take between 90-180 days to fix and test. An issue reported and apparently already in the wild should take up to 90 days to try to cram as much testing as possible in. If you "find then disclose immediately", you are definitely forcing an answer, but it likely will be a poor one.
 
rudy said:
I don't agree with any of this proper avenue stuff, publish exploits right away, tired of hearing oh we waited a long time. I have learned through decades of experience there is only one sure fire way to motivate action and is through need, and the bigger the company or success the longer it takes them to do anything. When an exploit hits a game dev fast, hard and open the game dev will react fast. Second typically exploits that are known about are known by a select few people and some of those people go the whole time exploiting. So if you keep it under wraps its still being abused its just most people don't know what they are getting hit with. A big reason openness works better is because it has been my experience that most software devs actually ignore knowledgable people. They think of them as a small niche squeaky wheel in their user base. But when the masses of people are posting on the forums and stuff is being discussed on blogs, forums, social media, etc... They are forced to answer.
Click to expand...

A company only has so many people that know wtf is going on with their software to fix serious exploits. The quiet release approach allows them to live normal lives most of the time and do the 24/7 panic mode occasionally.
Releasing everything would make panic mode the norm. And the people will be burned out and numb to the panic and more likely take longer to come out with fixes when they do come out with them.
 
Disposed said:
The guy works on a plugin and made demands like that? I wouldnt deal with that fucker either. Who does he think he is? I get that he found an issue but frankly its a pretty damn mild issue. An exploit that can crash someones minecraft server that nobody but one guy knew about is not a very high issue on the food chain.
Click to expand...

I second this. I would have ignored him too based on his attitude.

Minecraft has a bug tracker: https://bugs.mojang.com/browse/MC. Did he try submitting it there? That's what I would have done. It would have been made public immediately. Lots of malicious user might have suddenly started exploiting it. People being affected by it could have commented and created activity in the tracker about it. This probably would have gotten it noticed and fixed a lot quicker.
 
GaryJohnson said:
I second this. I would have ignored him too based on his attitude.

Minecraft has a bug tracker: https://bugs.mojang.com/browse/MC. Did he try submitting it there? That's what I would have done. It would have been made public immediately. Lots of malicious user might have suddenly started exploiting it. People being affected by it could have commented and created activity in the tracker about it. This probably would have gotten it noticed and fixed a lot quicker.
Click to expand...

This, there is a bug tracker, where you know... you report bugs.

He should have went there, reported the bug and let it be.
 
Exavior said:
This, there is a bug tracker, where you know... you report bugs.

He should have went there, reported the bug and let it be.
Click to expand...

Correct. I think he was "after something" or had some sort of misguided sense of justice.
 
Trepidati0n said:
Correct. I think he was "after something" or had some sort of misguided sense of justice.
Click to expand...

After reading the article and some other stuff by the guy its just a really big ass ego. PS why does he maintain a blog that sees no activity for 4 years at a time?
 
Exavior said:
This, there is a bug tracker, where you know... you report bugs.

He should have went there, reported the bug and let it be.
Click to expand...

A bug reported there would be like doing a day 0 release of an exploit. Lots of griefing, panic-mode patch by dev, bad stuff all around. From what I see, he tried to do the right thing and didn't get a response in a timely fashion.
 
Tawnos said:
A bug reported there would be like doing a day 0 release of an exploit. Lots of griefing, panic-mode patch by dev, bad stuff all around. From what I see, he tried to do the right thing and didn't get a response in a timely fashion.
Click to expand...

Why is he owed a response?
 
Disposed said:
Why is he owed a response?
Click to expand...

If we don't give a response or work with someone who is helping us find issues like this, we discourage responsible disclosure. It's less about being "owed a response" and more about avoiding actions that generate ill-will or encourage "well, might as well just go public right when I find it, they never answer anyway" mentality.
 
You must log in or register to reply here.
Back
Top