Aren't intents an Android-only thing? I'm not sure adding "depending on the platform" makes sense when the exploit only works on a single platform.
On windows if the game has been registered as custom URL scheme handler it opens ways for triggering it without ability to pass custom CLI arguments.
On macOS as part of application signing macOS apps also contain permission manifest. So in theory if a user runs a malicious app (which for some reason is properly signed but with limited permissions) it could leverage a vulnerable game to run in the context of slightly more permissions but still as the same user.
On Linux in most cases anyone able to pass cli arguments could also run code directly with same privileges. I guess if the game executable was marked as setuid. That seems unlikely.
Applications may have permission to access files/services that other apps and even root (I believe) would need user-prompt access to, gated by TCC (potentially including sandboxed game’s data).
Code signed games that opt into enabling library validation should prevent the issue of loading arbitrary code, however many games likely don’t do this.
https://unity.com/security/sept-2025-01/remediation explains these details fairly well in macOS section
The URI handler is a separate vector that is more concerning.
https://learn.microsoft.com/en-us/windows/security/applicati...
Currently it is still opt-in, but who knows when they decide to go Apple style with Gatekeeper.
With physical access, anything goes - like when you replace DLLs on your own system for modding … or changing permissions to gain access to files … or any number of “unauthorized” activities because you are physically located at the machine.
It's also somewhat irrelevant unless there's a remote chain.
The Android Browser idea is interesting but is this actually a likely scenario?
But if it can be exploited via Browser, then it means any website with an XSS vulnerability becomes an attack vector. But the attack needs to specify which app to start. So even if you found a great app that uses Unity and has juicy permissions, you'd have to hope your victims have that specific app installed. I'm not sure you could try to launch multiple apps without tipping off the user that the website is trying to do something funky.
The gold example is the original quake where the engine had an application specific vm to run the game code. Again, not security focused and I am fairly sure vm escapes would be easy to find. But I also don't remember ever hearing news how a quake mod installed a rootkit on someones pc.
In this case however I'm gathering that this is an engine level issue, in general Unity hasn't been a huge target since most game-code is run under C# (even if people might resort to unsafe for some things) and has basic memory safety from the language. It's a bad oversight in this case though.
I am baffled how they don't mention this at all.
There is https://discussions.unity.com/t/webgl-project-running-only-i... but the response is laughable.
I've actually been playing with it a bit recently and have had a couple mysterious crashes in their ide. It's likely ripe fruit for a curious security researcher.
Unity had a niche, their greedy execs killed that and Godot is one of the beneficiaries of that.
