Pulse Security consultant Denis Anzakovich discovered a critical vulnerability in the popular Untitled Goose Game. According to Andzakovich, the problem allows to introduce malicious code into the game and launch it without the knowledge of users.
The vulnerability exists because of insecure deserialisation in the downloader of the saved game. An intruder who controls a saved game can exploit malicious code when it is loaded.
According to Andzakovich, he sent a vulnerability notification to the game’s developer on October 7th, and on October 22nd House announced the release of the patch. Users are strongly advised to install an update to avoid potential cyberattacks.