Gregory's ServerA malware loader, “GodLoader,” has been found exploiting the Godot runtime. This highlights the importance of only downloading software from trusted sources.
Full details: https://godotengine.org/article/statement-on-godloader-malware-loader/
 15 comments
@godotengine thanks for responding to this topic. I started a discussion about potential learnings from this in the forum post about it. I'd love to see constructive discussion about this. https://forum.godotengine.org/t/statement-on-godloader-malware-loader/93096 @feyter @godotengine Yes, a bad actor can use game jams to distribute malware. This problem cannot be solved thru arbitrary restrictions on Godot APIs, because those restrictions can easily be circumvented by using literally any other compiler, interpreter, or virtual machine. A better solution would be to only play jam games in sandboxed environments (e.g. the browser). @feyter @godotengine The risk of running code from untrusted sources will always be on you and on nobody else. By the by, game jam games would be a horrible strategy for distributing malware. @ratsnakegames @godotengine yes your right... Anyone can disable this restrictions by just editing the sources. There is literally no possibility to disable this unless the OS disabled those features. @godotengine Okay, I read that entire CPR report. From what I understand the big issue they have is that one can replace the .pck file of a game with malicious code. How is that different from running any suspicious executable off the internet? You can swap out files in *any* program to run malicious code. Their conclusion of "everyone using Godot programs is potentially under attack" is insane. Anyone downloading anything off the internet is potentially under attack. Or am I missing something? @godotengine Reading more closely, I guess their issue is also due to the fact that Godot can easily run console commands without any antivirus detecting it, but I guess that's a consequence of Godot just not being popular for running viruses. @popcar2 @godotengine "GDScript is good for writing viruses because it is not popular for writing viruses, and thus is under the radar for antivirus software" sounds like a problem that is going to solve itself really quick. @popcar2 @godotengine Their reasoning for saying that everybody using a Godot game is potentially at risk is that mods or similar can inject malicious code into a legitimate game. Which is a somewhat legitimate concern - but seems fairly theoretical to me for the vast majority of Godot games. @ratsnakegames It's not different from saying someone could swap out your exe with a hacked one though, or swap out any of the files needed such as DLLs with malicious ones. If someone tampered with your file system, it's pretty much over. The report is pretty good and detailed but I don't agree that all games are potentially at risk.  I think you could also bundle a python interpreter, e. g. cpython with gdextension or rustpython and execute mailicious files. I guess you could also transpile source files before executing with an interpreter so gdscript support for malware scanners won't solve obfuscated code detection. @HugeGameArtGD @popcar2 Virus scanners are bad at their job and that problem is kinda unsolvable. It's not really Godot's fault that they are garbage, and it's not Godot's fault if people put too much trust in them, either. I feel like this is a "nothing burger" ... Unreal or Unity3D or ... TensorFlow all have the same vulnerability, but, Godot doesn't have a legal department ... |
@godotengine Is Godots bad? :/