Is nothing sacred?
The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer.
“Untitled Goose Game”, which allows players to take control of a truly horrendous goose terrorising an unsuspecting village, is considered by some to be the one of the year’s most fun indie video games and is available for Windows, MacOS and Nintendo Switch.
And as word spread of just how much fun it was possible to have making a mischief of yourself honking at an elderly man in his garden and almost giving him a heart attack, the game quickly became a viral sensation.
Now, with details published of a vulnerability in the way the game reads its save files, “viral” might almost take on a different meaning.
Security researcher Denis Andzakovic of Pulse Security found a remote code execution vulnerability in “Untitled Goose Game” that could be exploited by hackers.
According to Andzakovic, if an attacker was able to trick a game player into loading a poisoned save file for the game, the vulnerability could be leveraged to execute malicious code.
Such a technique could be used to plant other malware or spyware onto the computer of an fan of “Untitled Goose Game”. Not that such an fan is likely to have much of value on their infected computer, as they will be spending on their time pretending to be an anti-social goose rather than getting any work done…
As a proof-of-concept, the researcher was able to create a boobytrapped save file for the game which, when loaded, ran Windows Calculator. Of course, the payload could easily be changed for something nastier.
Fortunately, Andzakovic believes in responsible disclosure and informed House House – the Australian developers of “Untitled Goose Game” – of the issue in October, and patches for the game have now been rolled out.
Version 1.0.6 and later of “Untitled Goose Game” are said to be patched against the vulnerability, and one week after the 1.0.6 update was issued, Andzakovic went public with his findings.
There is no evidence that anybody, other than the security researcher who found the flaw, has tried to exploit the vulnerability. But unusual examples of software flaws like this are a salutary reminder to all programmers to think carefully about how an attacker might attempt to exploit weaknesses in their code, and potentially compromise the computer of the very people they are trying to entertain.