Security Explained: Unity Zero-Day Vulnerability

Recently, our security engineers were conducting penetration tests on a partner’s multiplayer game. They discovered something a little unusual. Upon following it to its source, they found that it wasn’t a game vulnerability. Instead, it was a vulnerability in the multiplayer Unity service.

What is the Unity Multiplayer Service?

As one of the most accessible and industry-leading engines, Unity offers a variety of services. One of them is the Unity multiplayer service. A cloud-enabled set of tools, that offer the service and infrastructure needed to “scale and operate” your own multiplayer functionality.

This is an “engine-agnostic” service, meaning it is malleable and useable regardless of the game’s engine. The service offers multiple tools including game server hosting, in-game player communications, netcode updates, and a matchmaker.

What were we testing?

The game we were securing was using several of these services. For this article, the matchmaker service is the key element. In this case, Unity hosts a set of APIs that are made public for gaming studios to use. The API contacts the server and communicates the information and data required. For a matchmaker, that information is used to match you with similar players. Whether similar mean skill level or game mode interest.

What did we find?

While we were validating functionalities, we encountered the potential issue. Upon following it up with its own validation, we discovered it was much more than just potential.

We discovered the vulnerability was in relation to authentication. As we mentioned before, the Unity multiplayer matchmaking uses information and player data in order to match them correctly. This is typical in any matchmade multiplayer game. It wouldn’t be fun if you were pitted against some of the best players out there.

However, in delivering players of similar skill into the same game, there are some steps in between. Once the player enters matchmaking, they get a reply from the server to confirm. Then, once a match is found, you are given a virtual ticket. This ticket is redeemed by your game upon entering, granting you access to the match.

Ticket revoked, back of the line

We noticed that, with this specific vulnerability, we could place ourselves in a unique spot. We could grant ourselves the ability to delete other players’ tickets.

Without a ticket granted by the server, you would be refused entry to the game or match. If the game has a failsafe for this situation, the player will simply be booted back to the menu. If not, the game may crash or may just leave the player in an infinite loading screen.

In either case, we discovered that this could quite easily be deployed as a blanket of ticket deletion. Meaning denying almost every player entry to any and every match they attempted to join. This is a classic DOS or Denial of Service vulnerability. If something like this had been abused, the entire multiplayer side of a game would cease to function. Malicious actors can and will target the gaming industry for a multitude of reasons, you can learn more about those reasons here.

Responsible Disclosure

Once we had verified the vulnerability and ensured it could be reasonably replicated, we contacted Unity. In a situation like this, it is a responsibility to file a responsible disclosure to the engine or tool’s team.

Unity’s team responded in a remarkably efficient and professional manner, taking on our report and patching the entire issue in two or three days. The danger of this issue was its source, the multiplayer service itself. Meaning, any and all games running on Unity’s multiplayer service would have been in danger of this vulnerability.

You can learn more about our gaming and non-gaming penetration testing services on our website. There, you can also find information on our load testing services and some of our past clients.