Image: Valve
Valve told ZDNet today that it’s safe to play games like Counter-Strike: Global Offensive and Team Fortress 2 even after their source code leaked online today on 4chan and torrent sites.
The leak has caused panic in the two games’ online communities.
For most of the day, gamers have been warning each other that hackers may develop exploits based on the leaked source code that may be used to hack computers connecting to CS:GO and TF2 servers.
Warnings have been circulating all day on Twitter and on the official /r/counterstrike and /r/tf2 subreddits.
Do not launch TF2 under any circumstances, Remote Code Execution exploits have already been found which means you can receive a virus from simply joining a server with a cheater. This is not a drill.
— Heavy Update Out Yet (@HeavyUpdateOut) April 22, 2020
“We have not found any reason for players to be alarmed or avoid the current [game] builds,” Doug Lombardi, Valve VP of Marketing told ZDNet today. “As always, playing on the official servers is recommended for greatest security.”
The Valve exec says the company is investigating the incident and is now asking users to report any tips about who’s behind the leak via the Valve security page.
Source code leaked on 4chan
However, some information about the leak has already started to surface. Right now it’s known that the files were first posted on 4chan, from where they were immediately shared on various torrent sites, gaming forums, Twitter, and Reddit.
Image: ZDNet
The leaked files are source code that Valve shared with game and mod developers in late 2017, Valve told ZDNet today.
Lombardi said that Valve was aware that the source code actually first leaked online in 2018; however, the initial leak was not widely known or circulated.
One of the few people who knew of the 2018 leak is Tyler McVicker, the owner of the Valve News Network, who laid out the events that lead to today’s second leak in a Twitch stream.
On Twitter, McViker also said he knew who was behind the leak and said he plans to report the person responsible to Valve’s legal department.
However, despite Valve’s reassurances that players are safe to play the two games, this may not be the case for long.
Access to a game’s source code always makes exploit development much easier, and players are right to warn each other — although this may not be an immediate threat, right now, but something they need to keep in mind in the coming weeks or months.
Attacks were hackers used game servers to infect gamers with malware have happened before. In March 2019, Russian antivirus firm Dr.Web published a report about hackers were using a zero-day vulnerability in the Counter-Strike 1.6 game to infect users with the Belonard malware. At the time, Dr.Web said that almost 39% of all CS 1.6 multiplayer servers contained malicious code that tried to infect users with malware.
Today’s source code leak opens the possibility of similar attacks against CS:GO and TF2; however, exploits may take some time to develop and Valve may easily counteract them with game updates, since both games are still actively maintained.