Indie offering Untitled Goose Game swept through the gaming community like wildfire when it was released in September 2019, quickly emerging as a critical darling.
The game allows players to control a “horrible goose” that waddles around an otherwise sleepy English village and wreaks hilarious havoc ranging from stealing people’s hats to pouring water onto a doorman’s head. The game has also proved a commercial success, with sales in excess of 100,000 copies since it was launched.
However, fans have been warned to urgently apply the latest patch updates to the game after security firm Pulse Security discovered a vulnerability that could allow a hacker to execute malicious code when the save game is loaded.
Goose on the loose
The vulnerability lies in the game’s deserialisation process, which is how games load save files. Serialisation is the process by which Java code converts objects into streams of bytes. Then, when the object is deserialised, it is reverted back into a copy of the original object. In practical terms, this allows players to save their game at various points and then pick up where they left off when they reload the game.
Hackers could potentially exploit this process in earlier versions of the game to execute malicious code. This would allow a cybercriminal to install spyware on an unwitting player’s device, while the user continued to virtually honk at passers by, blissfully unaware of the real-life mischief taking place.
The Pulse researcher, Denis Andzakovic, was able to create a corrupted save file as proof-of-concept that, when loaded, would run Windows Calculator. However, a prospective hacker could load something far more sinister.
Andzakovic informed the creator of Untitled Goose Game, Australian gaming company House House, of the vulnerability on 7 October, weeks before the research was public. House House responded on 9 October and rolled out a patch for the vulnerability on 22 October. Users are urged to patch their game if they haven’t already.