Bonsai Documentation Help

LittleBigPlanet & Security

What is 'scripting'?

As the scripting portion of LittleBigPlanet has been cracked open, there have been many vulnerabilities discovered in relation to multiplayer.

Scripting is a feature of the engine that allows you to run random code at runtime. This is most commonly used in-game for UI; presumably developers needed to quickly iterate on the layout in the pod computer or the popit. They can be attached to objects in levels (and by extension, planet decorations, as they are technically levels)

However, due to the nature of the scripting language being open, meaning scripts can be shared across the server and in P2P multiplayer, scripts can be used for naughty things.

These naughty things could be as innocent as moving all your levels to the top of your earth, or things like deleting all the levels off of your moon. These attacks have already been done to people on the official servers.

More recently, it was discovered that it's possible to execute arbitrary system calls under certain conditions, meaning scripts could potentially affect things outside of LittleBigPlanet.

Can we prevent scripting?

Thankfully, uploaded scripts are blocked by most custom servers. Any server worth their salt (e.g. Beacon or Bonsai) will deny people from uploading custom scripts unless manually approved beforehand.

However, this does not exclude scripts from being sent over P2P multiplayer. If someone is playing with you online, they have the capability to perform an attack with scripting.

As P2P multiplayer is uncontrolled by the server, the server can't enforce its protections on scripts like it can with scripts attached to levels and player earths.

An attacker can spawn an object in your session with a script attached. That script will not pass through the content filters imposed by the server, and will go directly to your game and be executed.

Auto-Join

So, by now you're probably thinking to yourself, 'Okay, I'll just play my friends with who I trust and deny anyone else.' Unfortunately, using another exploit, it's possible for attackers to join your session without any consent on your end.

I won't go into how this is possible for obvious reasons, but just know that in theory, someone could join your game and immediately spawn something that corrupts your save, or something far worse.

Protecting Yourself

There's not much that could be done about these exploits right now, pending some work on making patches to all the games that blocks P2P scripts from being synced over multiplayer.

You could theoretically make a firewall rule to block P2P multiplayer, making yourself NAT type 3, but this protection could potentially fail, and it blocks you from playing with your friends.

Your best bet is to play offline while a patch is developed, or accept the risk and make frequent backups. The silver lining is that these attacks haven't been performed yet, at least that I'm aware of. But that doesn't mean LBP is safe.

Join our Discord and be the first to get notified when such a patch is developed.

Last modified: 28 April 2025
Recent ActivityUsing Refresher to patch a game on PS3