With the Halloween surprise of a potential new Undertale related game teaser, Deltarune, many have certainly already rushed to play it. If you haven’t, I recommend you don’t. Perhaps watch a Let’s Play of it instead.

Why do I say this? It comes down to a line on the website:

If that isn’t a bigger red flag for you than if someone had ground up the planet Mars and made a flag out of it, then you need to recalibrate your internet security consciousness. What this actually means is that when you try to run this program (on Windows; it may differ on Mac), you’ll get two warnings:

  1. A message will pop up saying it’s been prevented from running. This happens for any executable that Windows doesn’t have enough information to trust. You can override this by clicking the More Info line and then “Run anyway,” generally without too much risk. Usually this isn’t risky as by default, Windows executables can only write to a dedicate portion of the hard disk and can’t affect other things, meaning they usually won’t be able to leave viruses behind.
  2. After you try to run it, you’ll get another message asking, “Do you want to allow this app from an unkown publisher to make changes to your device?” This is where you should really stop. If you agree, you’re allowing this program to write to anywhere on your computer, which enables it to do all sorts of nasty things to your computer if it wants to.


Now, is this program likely to be harmful? Well, the key question to answer there would seem to be: How much to you trust Toby Fox, the creator of Undertale? He’s surely rich enough at this point that there’s no way he’d ruin his credibility by installing a virus or malware on fans’ computers under the guise of a new game teaser. So, yeah, I wouldn’t worry about that.

But that’s not the real question you need to worry about. The real question is: How confident are you that this website hasn’t been hacked, and the executable replaced with a virus or malware? If you jumped on it quickly, probably not, but the longer you wait, the greater the chance that someone would have had this idea, looked for a vulnerability, potentially found one, and replaced the executable with one of their own design.

So that’s why I recommend you refrain from playing it. Chances are, the program is safe (though there’s also a good chance it will install some spooky behaviour on your computer to surprise you over the course of the next day). But this is a big security risk. If you do insist on playing it, run an anti-virus scanner and Malwarebytes immediately afterwards, just to be safe (or if you have the technical know-how to run it in a virtual machine, do that instead).


Update 31/10/2018: As it turns out, Toby Fox made a huge mistake with the program’s uninstaller. Instead of simply uninstalling the game, it deletes everything in the folder where the game was installed, which could very easily wipe out a lot of things you don’t want to be wiped out. If you do install it, don’t uninstall it until a fix comes out.

Update 31/10/2018 #2: You might be wondering, how could this be done better? Well, the simplest way to do it better without asking much from players would be to distribute it through a larger, known game platform such as Steam or Itch.io. This would allow users to trust in the better security of this platform to be much less likely to be hacked. While such hacks have been known to happen, they’re a lot rarer than hacks of websites run by individuals.

If this isn’t an option for whatever reason - for instance, you want the game to do some sneaky stuff to the players’ computers for some Halloween mischief, which can’t be done with Steam games thanks to the limitations put on them - it is still possible to assure the players that they’re downloading the right file, but it requires some more work on their end. What you can do is present a summary value, called a “hash,” of the executable. The user can run a program to calculate the hash of the file they download, and then compare it to the hash you provide.


There are a couple pitfalls to this to be aware of though. The first is that if you put the expected hash on the same page where the file is downloaded from, then if this page is hashed, the attacker can simply modify the hash displayed on the page at the same time as they modify the executable that will be downloaded. So, to get around this, you would have to provide the hash in a separate location - for instance, tweet it. This would require the attacker to hack your twitter account as well and post a false updated hash there, which is possible, but one extra layer of unlikeliness.

The second pitfall with using a hash is that the most common hashing algorithm, called MD5, is insecure against deliberate attacks. The (oversimplified) reason behind this is that a hash only has a limited number of possible values - in the case of MD5, 2^128 values. While this is enough that it’s generally impractical to try random changes to a file until it matches the original hash value, the nature of the hash function does allow more advanced methods of creating an altered file that still has the same hash. This does take a lot of time still- probably more than an attacker would find worth it for an application like this - so it’s not much of a worry for low-value targets like this.

If you do want to be more certain about this type of vulnerability though, the solution is simple: Use a better hash algorithm, like SHA-3. Probably overkill, if you want to assure the more security-conscious downloaders, it isn’t much additional work.