A vulnerability in hit indie fowl-simulator Untitled Goose Game potentially left PC players open to hackers before being patched out in a recent update, according to a security researcher.
The hole through which any mischievous attacker could have slipped – like a goose through a garden fence – was discovered by Denis Andzakovic two weeks after the game's release last month.
According to Andzakovic's research, unsafe deserialization of the save game loader would potentially allow attackers to take control of a target computer in order to execute further malicious code. If you want to see it in action, check out this screen capture where you can see a save file he has modified to open the windows Calculator app instead of letting you continue terrorizing a small English village.
Andzakovic made Australian development team House House aware of the vulnerability on October 7, and according to his timeline of events the team acknowledged the issue two days later before issuing a patch to fix the problem on October 22. If you haven't updated your game since then, we suggest you do so now that details of the vulnerability have been made public. You wouldn't want someone honking up your PC with malware.
It's a niche issue, as to make the code execution work a user would need to download a save file from the internet which has been modified to give the attacker control of the PC. And who needs to download a savefile when you can find out how to complete all the Untitled Goose Game secret lists yourself right here?
We're happy the Untitled Goose Game hack is no longer active, so all of the mischief-making is left up to you, the horrible goose. Go forth and honk safely.
