2 min read

Untitled Goose Game security hole could have allowed hackers to wreak havoc

Graham CLULEY

October 31, 2019

Untitled Goose Game security hole could have allowed hackers to wreak havoc

Is nothing sacred?

The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer.

“Untitled Goose Game”, which allows players to take control of a truly horrendous goose terrorising an unsuspecting village, is considered by some to be the one of the year’s most fun indie video games and is available for Windows, MacOS and Nintendo Switch.

And as word spread of just how much fun it was possible to have making a mischief of yourself honking at an elderly man in his garden and almost giving him a heart attack, the game quickly became a viral sensation.

HONK!

Now, with details published of a vulnerability in the way the game reads its save files, “viral” might almost take on a different meaning.

Security researcher Denis Andzakovic of Pulse Security found a remote code execution vulnerability in “Untitled Goose Game” that could be exploited by hackers.

According to Andzakovic, if an attacker was able to trick a game player into loading a poisoned save file for the game, the vulnerability could be leveraged to execute malicious code.

Such a technique could be used to plant other malware or spyware onto the computer of an fan of “Untitled Goose Game”. Not that such an fan is likely to have much of value on their infected computer, as they will be spending on their time pretending to be an anti-social goose rather than getting any work done…

As a proof-of-concept, the researcher was able to create a boobytrapped save file for the game which, when loaded, ran Windows Calculator. Of course, the payload could easily be changed for something nastier.

Fortunately, Andzakovic believes in responsible disclosure and informed House House – the Australian developers of “Untitled Goose Game” – of the issue in October, and patches for the game have now been rolled out.

Version 1.0.6 and later of “Untitled Goose Game” are said to be patched against the vulnerability, and one week after the 1.0.6 update was issued, Andzakovic went public with his findings.

There is no evidence that anybody, other than the security researcher who found the flaw, has tried to exploit the vulnerability. But unusual examples of software flaws like this are a salutary reminder to all programmers to think carefully about how an attacker might attempt to exploit weaknesses in their code, and potentially compromise the computer of the very people they are trying to entertain.

HONK!

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read