The indie game Among Us has rocketed to immense popularity with its mix of wholesome multiplayer collaboration and devious sabotage. But it turns out that potential for treachery goes significantly deeper than the game’s creators intended.
James Sebree, a researcher for security firm Tenable, on Tuesday published a blog post laying out a slew of relatively simple, hackable vulnerabilities in Among Us that he’s discovered over the last two months, allowing an extraordinary range of cheats. Some of them wreck the basic mechanics of the game, in which players collaborate on a space station while trying to identify secret imposters who are simultaneously trying to sabotage and kill them. Sebree says his hacks have, for instance, allowed him to kill players at will, impersonate other players, teleport around the game, walk through walls, supercharge his character’s speed, control the movements of other players, obtain paid in-game items for free, ban players without being the host, or remove a ban on himself.
Sebree says that he and some friends who are fans of the game initially started looking into its code in late September, with the goal of modifying it to allow more than the default 10 players. But he quickly found that the potential to alter the game went far further. “When I started digging into it I noticed these other issues and tried to give them a shot,” Sebree says, “and I saw that all these things were possible.”
The crux of the game’s security bugs, Sebree says, is that its servers aren’t designed to validate information sent by the game client running on the players’ computers, a basic safeguard against cheating in most popular PC games. Sebree was able to reverse-engineer the game’s code using the tools dnSpy and IL2CPP and create a modified version of the game client that sent the server all sorts of spoofed or altered data. “Say I’m player one, but I send a command to move as player two,” Sebree says. “Player two will move instead.”
Sebree is far from the first to hack Among Us, though he may be the first to do so this comprehensively and publicly. Players have complained of hacking and cheating in Among Us since at least early October. (The game also has a problem with analog cheating when players collude on external channels.) Some players were also hit with a deluge of pro-Trump spam in mid-October. Sebree says he was able to replicate that attack, sending messages as other players by exploiting the same lack of server-side validation of a message’s sender.
WIRED reached out Innersloth, the small game developer behind Among Us, and the company responded that it’s looking into the issues. Sebree says he tried to get in touch with Innersloth repeatedly in mid-October to share his findings but got no response. He does note that a few of the hacks he highlighted have since been fixed, such as changing the color of your character, immediately identifying the imposter, or killing other players instantly. (Another hack for killing opponents—calling for a meeting and forcing all the other players to vote to throw the victim out of the airlock—still works, Sebree says.) He also concedes that he hasn’t tested a few of the cheats in several weeks, such as banning other players, removing bans, or reviving dead players, but the other hacking techniques all remain unfixed. Although all of the hacks he publicized are a result of the lack of server-side validation of data, Sebree says that different kinds of data likely require adding their own validation rather than a single blanket fix.