Among Us has a bunch of security holes that let cheaters run wild

INNERSLOTH

The indie game Among Us has rocketed to immense popularity with its mix of wholesome multiplayer collaboration and devious sabotage. But it turns out that potential for treachery goes significantly deeper than the game’s creators intended.
James Sebree, a researcher for security firm Tenable, on Tuesday published a blog post laying out a slew of relatively simple, hackable vulnerabilities in Among Us that he has discovered over the past two months, allowing an extraordinary range of cheats. Some of them wreck the basic mechanics of the game, in which players collaborate on a space station while trying to identify secret impostors who are simultaneously trying to sabotage and kill them. Sebree says his hacks have, for instance, allowed him to kill players at will, impersonate other players, teleport around the game, walk through walls, supercharge his character’s speed, control the movements of other players, obtain paid in-game items for free, ban players without being the host, or remove a ban on himself.

Advertisement

Sebree says that he and some friends who are fans of the game initially started looking into its code in late September, with the goal of modifying it to allow more than the default 10 players. But he quickly found that the potential to alter the game went far further. “When I started digging into it I noticed these other issues and tried to give them a shot,” Sebree says, “and I saw that all these things were possible.”
The crux of the game’s security bugs, Sebree says, is that its servers aren’t designed to validate information sent by the game client running on the players’ computers, a basic safeguard against cheating in most popular PC games. Sebree was able to reverse-engineer the game’s code using the tools dnSpy and IL2CPP and create a modified version of the game client that sent the server all sorts of spoofed or altered data. “Say I’m player one, but I send a command to move as player two,” Sebree says. “Player two will move instead.”
Sebree is far from the first to hack Among Us, though he may be the first to do so this comprehensively and publicly. Players have complained of hacking and cheating in Among Us since at least early October. (The game also has a problem with analog cheating when players collude on external channels.) Some players were also hit with a deluge of pro-Trump spam in mid-October. Sebree says he was able to replicate that attack, sending messages as other players by exploiting the same lack of server-side validation of a message’s sender.
WIRED reached out to Innersloth, the small game developer behind Among Us, and the company responded that it’s looking into the issues. Sebree says he tried to get in touch with Innersloth repeatedly in mid-October to share his findings but got no response. He does note that a few of the hacks he highlighted have since been fixed, such as changing the color of your character, immediately identifying the impostor, or killing other players instantly. (Another hack for killing opponents – calling for a meeting and forcing all the other players to vote to throw the victim out of the airlock – still works, Sebree says.)

Advertisement

He also concedes that he hasn’t tested a few of the cheats in several weeks, such as banning other players, removing bans, or reviving dead players, but the other hacking techniques all remain unfixed. Although all of the hacks he publicized are a result of the lack of server-side validation of data, Sebree says that different kinds of data likely require adding their own validation rather than a single blanket fix.
Given that Innersloth has only three people listed on the “team” page of its website, it’s perhaps not surprising that it doesn’t have the resources to dig up and repair every hackable vulnerability in the game, says Sebree. He argues that the sort of basic bugs he uncovered are bound to occur in indie games like Among Us that are built by a skeleton crew of developers, using tools like the Unity engine to reduce the barriers to game building. Sebree’s blog post points to a similar collection of cheating techniques for another indie game, Fall Guys, that allow players to fly, teleport, and move at hyperspeed.
Sebree admits that the security vulnerabilities he found in Among Us hardly represent a serious threat to users. They don’t, for instance, allow access to anything on a target player’s computer beyond the confines of the game. “It’s very unlikely someone is going to be hacked and have their identity stolen because they were playing Among Us,” he says. “But it’s definitely possible to troll people or ruin the fun for them.”
Sebree admits that the security vulnerabilities he found in Among Us hardly represent a serious threat to users. They don’t, for instance, allow access to anything on a target player’s computer beyond the confines of the game. “It’s very unlikely someone is going to be hacked and have their identity stolen because they were playing Among Us,” he says. “But it’s definitely possible to troll people or ruin the fun for them.”

Advertisement

In order not to enable that sort of cheating and spoiling, Sebree says he left out certain instructions from his blog post that would allow others to easily replicate his hacks. But he nonetheless wants his findings to help spur indie developers to better secure their games, including Among Us. With some software fixes, he hopes, the game’s underhanded acts of skullduggery will be limited again to in-game impostors rather than the kind whose acts of sabotage dig into the code of the game itself.
This article was originally published on WIRED US
More great stories from WIRED
🇹🇼 Taiwan didn’t enter a national lockdown. Here’s how it beat Covid-19
🏥 Ransomware was blamed for a hospital death but investigators couldn’t prove it was the cause
🎅 The festive season is coming and these companies have some weird Christmas party ideas

Advertisement

🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn

Get WIRED Daily, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm UK time.

by entering your email address, you agree to our privacy policy

Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest

Leave a comment

Why You Need A Website

Now