Aren't intents an Android-only thing? I'm not sure adding "depending on the platform" makes sense when the exploit only works on a single platform.
On windows if the game has been registered as custom URL scheme handler it opens ways for triggering it without ability to pass custom CLI arguments.
On macOS as part of application signing macOS apps also contain permission manifest. So in theory if a user runs a malicious app (which for some reason is properly signed but with limited permissions) it could leverage a vulnerable game to run in the context of slightly more permissions but still as the same user.
On Linux in most cases anyone able to pass cli arguments could also run code directly with same privileges. I guess if the game executable was marked as setuid. That seems unlikely.
Applications may have permission to access files/services that other apps and even root (I believe) would need user-prompt access to, gated by TCC (potentially including sandboxed game’s data).
Code signed games that opt into enabling library validation should prevent the issue of loading arbitrary code, however many games likely don’t do this.
https://unity.com/security/sept-2025-01/remediation explains these details fairly well in macOS section
The URI handler is a separate vector that is more concerning.
With physical access, anything goes - like when you replace DLLs on your own system for modding … or changing permissions to gain access to files … or any number of “unauthorized” activities because you are physically located at the machine.
https://learn.microsoft.com/en-us/windows/security/applicati...
Currently it is still opt-in, but who knows when they decide to go Apple style with Gatekeeper.
Unity had a niche, their greedy execs killed that and Godot is one of the beneficiaries of that.
"It's opensource, so it is going to be a better engine in the long run." Citation needed.
This is probably true due to a sort of survivorship bias. code you can read is much easier to analyze and test and report. Closed source internal code has a lot of security by obscurity built into it. Not to dismiss security by obscurity, I am sure it keeps an absolute frightening amount of code safe.
“The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown.” H.P. Lovecraft
I've actually been playing with it a bit recently and have had a couple mysterious crashes in their ide. It's likely ripe fruit for a curious security researcher.
I am baffled how they don't mention this at all.
There is https://discussions.unity.com/t/webgl-project-running-only-i... but the response is laughable.
philipwhiuk•4mo ago
It's also somewhat irrelevant unless there's a remote chain.
The Android Browser idea is interesting but is this actually a likely scenario?
sidewndr46•4mo ago
Sohcahtoa82•4mo ago
sidewndr46•4mo ago
kelsey98765431•4mo ago
jfyi•4mo ago
Sohcahtoa82•4mo ago
But if it can be exploited via Browser, then it means any website with an XSS vulnerability becomes an attack vector. But the attack needs to specify which app to start. So even if you found a great app that uses Unity and has juicy permissions, you'd have to hope your victims have that specific app installed. I'm not sure you could try to launch multiple apps without tipping off the user that the website is trying to do something funky.
somat•4mo ago
The gold example is the original quake where the engine had an application specific vm to run the game code. Again, not security focused and I am fairly sure vm escapes would be easy to find. But I also don't remember ever hearing news how a quake mod installed a rootkit on someones pc.
whizzter•4mo ago
In this case however I'm gathering that this is an engine level issue, in general Unity hasn't been a huge target since most game-code is run under C# (even if people might resort to unsafe for some things) and has basic memory safety from the language. It's a bad oversight in this case though.