Industry News

Untitled Goose Game security hole could have allowed hackers to wreak havoc

Untitled Goose Game security hole could have allowed hackers to wreak havoc

Is nothing sacred?

The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer.

“Untitled Goose Game”, which allows players to take control of a truly horrendous goose terrorising an unsuspecting village, is considered by some to be the one of the year’s most fun indie video games and is available for Windows, MacOS and Nintendo Switch.

And as word spread of just how much fun it was possible to have making a mischief of yourself honking at an elderly man in his garden and almost giving him a heart attack, the game quickly became a viral sensation.

HONK!

Now, with details published of a vulnerability in the way the game reads its save files, “viral” might almost take on a different meaning.

Security researcher Denis Andzakovic of Pulse Security found a remote code execution vulnerability in “Untitled Goose Game” that could be exploited by hackers.

According to Andzakovic, if an attacker was able to trick a game player into loading a poisoned save file for the game, the vulnerability could be leveraged to execute malicious code.

Such a technique could be used to plant other malware or spyware onto the computer of an fan of “Untitled Goose Game”. Not that such an fan is likely to have much of value on their infected computer, as they will be spending on their time pretending to be an anti-social goose rather than getting any work done…

As a proof-of-concept, the researcher was able to create a boobytrapped save file for the game which, when loaded, ran Windows Calculator. Of course, the payload could easily be changed for something nastier.

Fortunately, Andzakovic believes in responsible disclosure and informed House House – the Australian developers of “Untitled Goose Game” – of the issue in October, and patches for the game have now been rolled out.

Version 1.0.6 and later of “Untitled Goose Game” are said to be patched against the vulnerability, and one week after the 1.0.6 update was issued, Andzakovic went public with his findings.

There is no evidence that anybody, other than the security researcher who found the flaw, has tried to exploit the vulnerability. But unusual examples of software flaws like this are a salutary reminder to all programmers to think carefully about how an attacker might attempt to exploit weaknesses in their code, and potentially compromise the computer of the very people they are trying to entertain.

HONK!

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.