It hasn't been the best year for GOG so far. After a report that they had to lay off about a dozen employees, they announced the conclusion of their Fair Price Package program, and recently, during CD Projekt's financial results conference, it was revealed that GOG only had a net profit of 7.8k USD (30k PLN) in 2018. Now there's a report from security company Cisco Talos Intelligence Group, detailing several vulnerabilities found in their GOG Galaxy client, which the company assisted in patching out. While there aren't any actual leaks or compromised information of GOG Galaxy users, and the latest version of the client is now impervious to these particular vulnerabilities, it's far from the best PR for the company division.
GOG started as a niche digital distribution platform for old school gamers, with the basic premise of Good Old Games offered without any DRM. It soon acquired a cult following of abandonware enthusiasts. With the introduction of GOG Galaxy, first announced in June 2014, CD Projekt was clearly setting the scene for the release of The Witcher 3: Wild Hunt, the storefront's "killer app," which also shipped along with many GPUs in 2015. GOG has made every effort to assuage old school gamers that GOG Galaxy would remain optional, and they have kept that promise.
The full list and the technical details of the vulnerabilities are available in the Cisco Talos blog post, but if you've already updated GOG Galaxy recently and you're running the latest version, 1.2.54, there's nothing to worry about. Cisco Talos only tested and confirmed that the version 188.8.131.52 is affected by the vulnerabilities. Even so, as they say, "Users are encouraged to update to the latest version of GOG Galaxy Games as soon as possible in order to avoid these vulnerabilities. As they all come from different functions, there is no one, clear workaround and they can only be fixed through this patch."
Even a megacorporation such as Facebook isn't immune to vulnerabilities, just as a reminder that back in September 2018 they had almost 50 million access tokens stolen. We can only hope that future versions of GOG Galaxy will prevent vulnerabilities.
What do you think of GOG Galaxy's vulnerabilities? Is it possible for a client to be 100% free of vulnerabilities, or does it go with the territory? Let us know in the comments below!