LBP Union and Project Lighthouse are not affiliated with Sony Interactive Entertainment or their subsidiaries. Project Lighthouse is a clean room reverse engineering project of now defunct PlayStation 3 and Vita LittleBigPlanet online features. No proprietary code is distributed. Under no circumstances will we endorse or support piracy. You must have your own copy of the game in order to use the custom features once they become available. When using these features, you release Sony Interactive Entertainment (Sony) as well as any employees or agents of Sony, from any and all liability, corporate, or personal loss caused to you or others by the use of Lighthouse custom servers for LittleBigPlanet.
As we have come to better understand how LittleBigPlanet works, it has become clearer to us the likely reasons why Sony decided to discontinue the online servers for these beloved games. We are committed to continuing to support the next generation of online play for LittleBigPlanet, however we cannot ignore the challenges that we will face to ensure that the game is safe to play online. The purpose of this advisory is to inform the LittleBigPlanet community of the dangers of online play and what would have to be done to make online play safer.
Main Takeaways
- LittleBigPlanet online multiplayer, specifically peer to peer multiplayer sessions, like playing with other people in your pod are unsafe.
- The LittleBigPlanet client (the game itself) contains a remote code execution vulnerability which allows an adversary to perform actions from your client without your consent during multiplayer sessions, such as upload malicious content to a custom server.
- This vulnerability cannot be completely mitigated by any custom server since it is a client-side issue. Therefore, it affects all custom servers, not just Beacon.
- Protect yourself by only playing with users you trust.
- Dive In matchmaking will remain disabled as we investigate possible client patch fixes. You can continue to play with friends that you trust.
- RPCS3 users may no longer create Beacon accounts without connecting a PSN account first.
Where Does this Information Apply?
Please note, this security advisory is related to the game client, not the server. The dangers and threats we will disclose in this post apply to all online play across all LittleBigPlanet custom servers. This means that these vulnerabilities cannot be patched by server software. These are issues that are specific to the game itself.
Remote Code Execution
In recent months, LBP Union has become more aware of the full potential of LittleBigPlanet’s built-in scripting engine. By default, LittleBigPlanet uses the scripting system (internally referred to as “fishfingers”) to provide objects with dynamic features. For example, the Jetpack powerup, which uses a script that tells it how it should behave when Sackboy grabs it, and how it should let you fly.
Scripts are required for the game to operate and are responsible for basic game functions like the user interface, objects, music sequencers, and so on. However, scripts can be modified and attached to any object, sticker, or other item (called a ‘resource’). This unfortunately offers malicious users the ability to do many things, such as changing your user Description, or showing an on-screen notification. This past month, malicious users abused Beacon’s matchmaking system to join users and place down custom scripts embedded into objects in host’s pods.

More generally, this is a vulnerability called remote code execution. This is where a malicious actor can control your game to perform actions without your consent. Importantly, any actions they take will appear to come from your account and IP address, making it harder to determine who is responsible for the action.
The Risk of RCE
Modified scripts are able to forcibly perform actions on your behalf without your consent or knowledge. In the previous example, targeted profile descriptions of hosts were changed to malicious text. Without further context, our moderation team could easily mistake this text as being changed by the host themselves and not by a malicious actor. This is because when the profile description changes occur, they are done from your account and IP address. This is because your game loaded the script while you were the host. An adversary does not need your consent or approval to do this if they are in a multiplayer session with you.
Beyond LittleBigPlanet
Most alarmingly and more recently, we have been informed that there is a potential for LittleBigPlanet scripts to escape the confines of the game itself. It’s theoretically possible that an LBP script could affect your PlayStation 3’s core software and brick your system. For RPCS3 users, if it’s possible to escape the emulator, it could even affect other parts of your machine. A user could join your pod and then place down an object that could cause damage to your machine. We are not aware of any adversaries that have this capability, but the theoretical possibility of this risk is worrisome. Scripts in LBP are utilized for so many game functions that nearly any event that happens in-game can be controlled or manipulated via a game script.
Why Disabling Dive-In is Not Enough
We attempted to mitigate the issue by disabling dive in. Unfortunately this measure was met with the oversight that there are ways to bypass dive-in on a LittleBigPlanet server like Beacon and other servers. Therefore, disabling dive in will not stop a malicious actor from sending you a join request, even if they aren’t on your PSN or RPCN friends list. We are also investigating the possibility of a malicious actor’s ability to forcibly join a session without your approval, which we have not yet verified.
How Do We Fix This?
There are a few things to consider when approaching these challenges:
- What can we, the operators of Beacon custom servers, do right now to mitigate the risk?
- What can you, the end user, do to protect yourself?
- What should we do to correct the problem in the future?
Beacon
Currently, we are taking the following steps to help make Beacon safer in the wake of the discovery of these vulnerabilities:
- We are disabling sign-ups for RPCS3 users. RPCS3 users must now apply to join Beacon via our Discord server. However, RPCS3 users can also create and verify accounts by first signing in on a PSN account with the same username. We have made this decision because RPCS3 is the most used vector of abuse on Beacon. We aim to reinstate RPCS3 account creation once we have better tools at our disposal.
- We are making this security advisory to inform you of the dangers of online play so you can decide for yourself what you should do.
- Although this won’t stop malicious actors from trying to join you, we are keeping dive in turned off to help discourage abuse and encourage users to play with players they trust.
- Keeping our moderation team informed to minimize the chances of punishing our users for something a malicious actor did.
You
There are a number of steps that you can take to mitigate the risk of playing LittleBigPlanet online:
- The most important thing you can do to protect yourself is to only play with other people that you trust. If someone manages to join you without your explicit consent, close out of the emulator or turn off your console immediately.
- Avoid being idle while online. If you expect to be idle for a period of time, sign out on PS3. This will reduce your risk in case an adversary figures out a way to join you without your consent.
- If using RPCS3, choose your machine carefully. If you have any important or sensitive files on the machine, consider migrating them somewhere else or encrypting them.
- If using RPCS3, you can also consider running RPCS3 in a virtual machine, but you may have performance problems
- For all users, back up your data regularly. This applies to PS3, RPCS3, and Vita users.
The Future
The question remains: how can remote code execution in LittleBigPlanet be fixed? How can LittleBigPlanet custom servers be more secure?
To definitively end this issue, the client itself — your game — would have to have some preventative feature either patched in, or implemented in some other fashion. This requires technology and expertise that only a few people in the community might possess as of this moment. We will be closely monitoring and exploring this solution, as everyone in the community stands to benefit from it, regardless of their preferred custom server community. In the future, a potential patch to fix this issue could most likely be incorporated into existing patching solutions like Refresher, UnionPatcher and other future patching software. If anybody wants to contribute to this solution, we welcome all the help we can get. Ideally, this solution should be a community thing, and we are willing to help anyone who may be coming up with their own solution as well.
Should You Continue Playing LittleBigPlanet Online?
The answer to this question is entirely up to the individual. There are ways to minimize your risk, such as only playing multiplayer sessions with people that you trust. LBP Union is committed to doing everything we can to mitigate this issue and protect the community. If you have any questions about this advisory, please contact us. We will provide updates as we learn more about this vulnerability and research toward a potential client patch.




