Counter-Strike 2 exploit briefly allows malicious code injection, IP grabbing before developer hastily issues patch
The months following the launch of a new game are rough for any developer — especially an online game — but it's not commonplace for developers to face security vulnerabilities in their games that could cause serious issues for its players.
This seems to be exactly what happened with Valve's Counter-Strike 2 this week. A number of posts across Reddit and X (fka Twitter) are discussing a security vulnerability in Counter-Strike 2. The vulnerability allowed players to use HTML in their username to run JavaScript and execute an XSS attack on anyone in the same game lobby.
At first, it seemed as though the exploit only allowed bad actors to access IP addresses of other players in the lobby, but it was later revealed that code injection was possible using the same vulnerability. Because of the severity of the attack, players were being advised by security experts, like the folk over at PirateSoftware, to avoid playing Counter-Strike 2 until the vulnerability was fixed.
According to Steam Charts, the security vulnerability seems to not have impacted the player count, with the concurrent player count still peaking at around a million users for the period the exploit was public on December 11. This is compared to the usual daily peak of around 1.1 million players for the week prior.
As of the time of writing, it appears as though Valve has patched out the exploit, and discussions online indicate that it may be possible for Valve to easily detect who took advantage of the issue. That means that anyone who took advantage of the vulnerability could be subject to a VAC ban.
Buy an Asus ROG Ally from Best Buy, or snag an 8Bitdo Ultimate Bluetooth Controller with Hall Effect Sensing Joystick and Charging Dock on Amazon.
PATCHED! https://t.co/qdlHEVJbPO
— Aquarius (@aquaismissing) December 11, 2023
Oh nevermind, you can totally get code execution with this :P@valvesoftware @CounterStrike please fix quick before anyone evil abuses this pic.twitter.com/9w7ETpH60X
— Rebane (@rebane2001) December 11, 2023