Dota 2 players were playing Custom games with security holes for a year

Security issues can arise when a JavaScript engine is used through a security boundary to execute potentially untrusted code.... Eduardo | 12. February 2023

Security issues can arise when a JavaScript engine is used through a security boundary to execute potentially untrusted code. One such problem affected the massively popular video game Dota 2.

It has become publicly known recently that Valve left unpatched, for 15 months, a JavaScript vulnerability in Dota 2. A Hacker used this security hole, but without much repercussion.

The popular MOBA allows players to create their game modes with a fair amount of freedom. Users with basic programming skills can submit proposals to Valve, which verifies, publishes, or rejects them.

Valve did not release the patch in 15 months

The vulnerability was in JavaScript Engine V8, and Google fully patched this in October 2021. However, Valve did not release a Dota 2 update about this vulnerability until January 12, 2023, when they fixed it.

This was done by Valve after Avast notified the company of the situation. Well, according to reports, this Hacker was active until March 2022.

According to the report, the Hacker created four custom games called:

  • Rest addon pls, ignore
  • Overdog no annoying heroes
  • Custom Hero Brawl
  • Overthrow RTZ Edition

All these games were adaptations of popular games within the Dota 2 scene.

Avast said:

“One such issue affected the massively popular Dota 2 video game. Dota used an outdated build of v8.dll that was compiled in December 2018. It’s no surprise that this build was vulnerable to a range of CVEs. Many of them even being known exploited vulnerabilities with public proof-of-concept (PoC) exploits. We discovered that one of these vulnerabilities, CVE-2021-38003, was exploited in the wild in four custom game modes published within the game. Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players.”

But how did this affect the players?

When players started the rogue game mode, the hackers could access their computers through an almost undetectable back entrance. According to Valve, fewer than 200 players were affected by this exploit.

Investigators in the case continue to assume that this Hacker’s intentions were completely dishonest. Although there is no indication of malicious payloads and players were advised not to download these game modes. In addition, the researchers accuse this person of not having approached Valve to notify them of the vulnerability.

In conclusion, this vulnerability in V8, Google’s open-source JavaScript engine, allowed the Hacker to gain backdoor access to players’ computers through Dota 2.

Fortunately for all players, Valve handled the situation flawlessly after being informed by Avast. They immediately fixed the problem and permanently deleted these custom games, notified the affected players, and, of course, took different computer security measures to prevent this from happening again in the future.

Now, let’s remember that playing Dota 2 custom modes is thoroughly followed; however, you must be vigilant regarding the ones that look questionable. These could be other security holes at any instant.

Header: Valve