DeploymentDDoS

Case Study: @levelsio fly simulation game

Baptiste Loison
BL

Baptiste Loison

Security Engineer

Case Study: Security Vulnerability in @levelsio's Flight Simulation Game

In March 2025, indie maker and entrepreneur Pieter Levels (@levelsio) launched a simple yet addictive browser-based flight simulation game. The game quickly gained popularity, attracting thousands of players within days of its release. However, this rapid success also attracted the attention of security enthusiasts. The application has been developed using ThreeJS for the graphics and SocketIO for the real time transmission.

Security Issue

On the levelsio flight game, when a user dies, it displayed a message to all users broadcasting "USER1 killed USER2" we can see from this screenshot of the code than when an user is killed, the game calls the function showMessage with the argument<b>${data.attackerUsername}</b> killed XXXX

it means that if a username is <h1>TEST_USERNAME</h1>, it will be displayed as a title on all users screens, and if the user name was <script>alert("you have been hacked")</script>, a popup alert with "you have been hacked" would be displayed on all the users' screens.

In the case of the hack, the "malicious" user had sent a script that would add triangle spaceships that would follow the users and take them down. The decoded code was looked like that

setTimeout(() => {
  enableAlienInvasion();
}, 5000);

const originalAnimate = animate;
animate = function () {
  originalAnimate();
  if (mothershipVisible) {
    updateMothership();
    updateMothershipAbduction();
    updateTriangleBeings();
    updateTriangleBullets();
  }
};

This vulnerability is known as XSS and could lead to more impactful attack such as stealing cookies of an admin (to connect to an admin panel for example), redirecting to a fake phishing website that will steal user password

Ho to fix/mitigate XSS vulnerabilities

But how do we fix this, you may ask?

Well, actually there are multiple ways to fix this, the most basic way to fix it is to follow the first rule of software security. Never trust user input, always sanitize the user inputs (Basically remove any HTML tags or JavaScript code from user input).

Stay updated on cybersecurity

Get weekly security tips for SaaS founders and indie makers.

Related Articles

How to avoid bankruptcy when using Vercel

Authentication is the cornerstone of SaaS security. Learn best practices for implementing secure authentication in your applications.

← Back to all newsletters