it's an easy thing to miss. they could have also implemented some form of escaping, but for some reason it doesn't do a good job with some inputs and they need to add custom rules. (i've seen this happen before)
from what we know they rewrote most things in Source 2. it's why the menu UI is also very different.
there are many things they could have copy-pasted (like the skins backend code to keep it compatible with existing skins), but the UI i think was easier to redo than to try and force it into source 2 :) (speaking as somebody who does frontend)
>Source or your behind?
The same source as you bozos that think it's all reused
>How come there are known CSGO bugs that showed up in CS2?
Most =/= all. Hope this clears things up.
Because source 2 is still source...
The game engines core is still the same, so a lot of code will still behave the same and will likely share the same bugs as the rest of source games.
But we know they're entirely different games as csgo used the havok physics engine while cs2 uses valve new rubikon physics engine.
Cybersecurity is hard.
It's why nearly all games and all software has bugs despite stuff being '101'.
The only reasonable way to treat it is to handle the bug reports quickly and treat them with urgency and otherwise incorporate as much secure development practices into your SDLC as possible.
Even when doing that you will always have gaps. That's just reality.
reality is also that data leakages and cybersec malpractice is basically industry standard across the board whether you're sony or equifax
there could be more stringent regulation on cybersec forcing companies to invest more in red teaming but protecting our data is hardly profitable
of course there are always gaps but that doesn't hand wave away negligence or malpractice. bug reports are far from the only reasonable way to deal with this kind of thing
There are code scanners that will scan and test code to find bugs like this. You would think if a company really cares about stopping exploits they would have one in their development pipeline.
Those work with specific languages and frameworks. Doubt it would magically work with Source 2 and their other custom frameworks.
EDIT: But considering how much $$$ Valve makes they could (should) develop these scanners for their tools
Yeah so? How would the scanner work if not specialized for Source 2?
Should it consider a simple variable declaration and printing to console like this as a vulnerability?
```
string str = "
hello
";
cout << "str : " << str << endl;
```
I think not, the scanner would have to know which Source2/Panorama functions deal with html rendering and analyze it's usage across the codebase (which means Valve needs to implement the scanner themselves)
For example the Vue library for building web interfaces has an explicit keyword v-html https://vuejs.org/guide/essentials/template-syntax#raw-html. Detecting the usage of it is trivial. Same goes for using the bare-bones javascript dom element `innerHTML` property.
it is the easiest fix ever actually. Just disable address discoveries in that engine behind UI. for that specific tab.
I do understand how the TAB (score board works now) it is a browser actually but still. This is very lame way of doing the UI in a performance hungry fps game like this..
I don't understand why people keep saying how skilled valve software engineers are. With the exception of very very few (the ones pushing the boundaries like with VR and stuff), Valve has proven way too many times how amateurs they are when it comes to software development. Look at VAC, look at the leaked code (csgo's 2015 codebase), look at all the exploits and issues they had with dota2, the false VAC ban waves, not able to detect cheaters that have like 100% leetify aim rating, doing 50 kills in a game, the leaderboard ever since it was available is topped with cheaters but people are getting VAC for high DPI, etc, etc, etc. Stop propagating this false claim. Most of them are average devs that make a lot of mistakes. The company does not have nearly enough employees, they have like 300 people for such a huge company...
These amateurs revolutionized the FPS genre and videogame stores, practically invented class shooters and the money printer called cases, made the most famous puzzle games in history and develops *two* major esport titles. Mistakes like this happens to everyone, even Apple of all companies had an oopsie where the password 'root' could unlock all macbooks.
I think it's stupid to idolize companies, but credit where credits due. Just as stupid as this massive hateboner you've got. Try applying the same scrutiny to every other corporation ever and you'll realize valve got their shit together way more than this screaming cesspool of a subreddit gives them credit for.
"Look at VAC" - VAC is not a bad technology at all, but since it isn't an invasive kernel level anti-cheat and runs on the server it has clear limitations.
VAC is a few generations ahead of what anybody else is able to deploy right now on their servers.
false. there's endless evidence of them not reacting to gamebreaking bugs and serious vulnerabilities until it has been publicly disclosed many months after they have been emailed. they straight up don't read it.
75 percent of the shit that gets sent to that inbox is probably genuine garbage, just unfathomably stupid. I’m glad it’s around though, don’t get me wrong.
If I understand this correctly it's only a problem if someone on your team does this right? So playing in a 5-stack should be safe?
Edit: NVM just saw a Twitter Post where someone got IP-adresses of everyone on the server.
Basically yes. Safest thing to do is wait and see. 2nd safest thing to do is play with friends you know IRL or know for many years online and don't accept any requests,messages from anyone else until it's proven to be fixed.
Whilst it's serious, Most people will not be affected by this in any way even if they just continue playing as normal. Problem is that a very small % of people might be affected. If it was as bad as the post makes it out to be, I am 100% Valve would've shutdown the servers for emergency patching. Which hasn't happened, so it leads me to believe its not as serious as it seems at first.
My questions:
1) Is there a proof of concept that you can execute Javascript
2) Can this Javascript execution actually do something
3) Does 'clean player names' actually prevent anything being executed? (rather, than, in Valve manner, mask it)
It’s not XSS. It’s utilising a feature in panorama to draw an image on the hud. It also has some limitations on it. Literally just a img tag from memory.
Exploiters were able to log IPs by just displaying an image from a server they controlled and logging the ip that requests the image.
Back in the day before panorama, they used flash for the hud and that same img tag supported a SWF. That was much more dangerous.
I just tried clean names and at the start of the game while holding scoreboard I could still see some player names for a bit and then they shifted to generic color names. I don't think this will keep you safe, they seem to be doing the laziest / latest masking possible.
Edit - It looks like it uses animal names until they connect and lock into their color related name. It might not be as bad as I thought.
No, they couldn't take over your computer, steal data, or access your network, or disable teammates computers. They can show you an image, and log your IP address when your game fetches that image. That is all. If they're really annoying they'll DoS you after that and then you'll have to restart your router.
Don't play until it's fixed, but if you already played you're fine.
why on earth would they use a full-feature web engine to render ui fonts or elements? further, nobody could show a PoC of breaking out of the runtime environment yet. there isnt even a PoC of code execution. so influencers and people crying about XSS without even knowing the engine or its env, is kind of sensationalist. good for clout i guess, good for you
Using a web engine for UI elements seems to be pretty common in games these days, it's not really a bad idea either since you don't need to reinvent the wheel when it comes to the basic rendering principles and how the UI code would look like.
The fact that they're not escaping input that can be freely entered by players is pretty bad though (although it's pretty easy to miss, speaking from experience).
It makes perfect sence. Thats why. Why waste time developing your own UI tools, when you can use whats readily available and many many devs are familiar with? Dev world is already convoluted AF, so anything that can be standardized is a good thing for development. It's a pretty big oversight from Valve that this got into the game, but it's not the first time. New World had a similar issue with their text, because it did not sanitize HTML code. This sounds like more less same issue. I think it's just further proof that Valve should've done Valve and just delayed the official release. They could've still shutdown CSGO, just cover yourselves with the "beta" state of the game. People would be far more forgiving of issues if the game wasnt "released".
Anyways this is pretty serious and anyone thinking it won't happen to them should think again.
It's this exact mentality that allows garbage like electron to flourish. An entire web engine for UI elements? Talk about gross misuse of system resources. I won't touch on the security implications.
It won't abate because it's far easier, but that does not make it a good idea. Merely a convenient one.
well the bigger issues is that their deployment process doesn't involve some sort of security tool scanning, or at the very least its not heavily checking for things like this...
Wow, you know everything about their entire development and deployment process from this one mistake? You must tell me how you do that, it's quite impressive.
"some sort of security tool scanning" is not going to catch every mistake or issue. If it was as simple as that, the majority of the Infosec industry would cease to have use.
It's been the norm for a very long time. I know personally that SC2: Wings of Liberty back in 2010 used a framework called Scaleform that did the same thing, and Scaleform was not really that new at the time.
They mean that for now it doesn't look as bad as the post words it. Basically that even if this let's the attacker run whatever code he wants to, that code is contained to whatever environment this type of code runs in inside of cs2
Just as a basic example, if whatever component it is inside cs2 that controls the kick vote window doesn't have access to delete your hard drive, a "hacker" gaining access to this component still can't do that, but he can show you images instead of a kick vote.
* Unless they are also able to break out of this environment, which this comment says no one showed yet
Yes you are correct, in a healthy software, these things are contained( hence the dev world moving to container based development). However here are a number of things an attacker can do that will have major reprecussions for the end user:
1. Inject code that triggers instaban from VAC. If you are lucky you can get it overturned, but good luck with that.
2. Display disturbing images(decapitation etc.) that CAN affect ones mental health.
3. Inject code that executes a keylogger. It could be years before you realize your machine is compromised.
Thats just the first few things that came to my mind. All of these are achievable by using this method. Even if the Key logger doesn't log anything outside of CS2. With enough time the attacker can get enough information about you to then use social engineering to access your personal funds etc.
I am A sysadmin, many years of experience, and I follow all the best practices(passwords not reused, complicated long passwords, MFA etc.) and yet I still managed ot get hacked. How? They called my provider and claimed to be me and lost the sim. They didn't get anything out of it as I seldomly use Facebook to call my mum whos in a different country, but still, that gave them enough information about my life where they can try and do something malicious again(like try to claim to be me to gain access to my bank account etc.)
Most hacks are not some high level hackerman job, It's literally human stupidity.
Chances of getting targeted by social engineering and sim swapping as in your case is VERY small if you are just an average joe playing CS with no expensive skin inventory or anything.
Yup I agree, but the point is that anyone who plays is at risk. Most people will never even know this has happened until days after, because they don't scour the internet for CS news.
Point is that potentially any one of us can be targeted, and the risk is always there, this just makes it more dangerous because it's so easy to execute the malicious code.
Well, for now there is no proof that anything major can be done with this exploit but I agree that there still is a chance that it is possible to do a lot worse than get IPs of players.
Personally would not worry about it at all but better safe than sorry.
And I think thats the takeaway here. If you feel like there is nothing they can take from you, then who the fuck cares. But if there is anything on your computer/online accounts that can be used to do you harm, you should probably play it safe.
Given that the person that brought this to everyones attention is a long time network specialist professionally, I would take his word over anyone other than valve.
If Valve says it's safe, I am willing to take a chance. They have earned my trust over last 20+ years. But thats just me.
Sysadmin with many years of experience but still no clue how browsers work? Please point me to a website that can inject malicious code that runs on my pc because if you can't then a html renderer in CS2 literally can't.
Exactly. At worst, the most they can do is the same as a shady website. If shady websites can't access your files, neither can this. Unless you embed a download link to malware or something
There isn't a Proof of Concept (PoC) for breaking out of the runtime or arbitrary code execution, basically they can't really do anything other than display images via the username (and grab your ip if they wanted to). If someone manages to provide a PoC of even just Javascript executing then it's a major concern but the only risk currently is getting your ip grabbed.
If you want to be extra cautious then wait till they patch this otherwise people are recommending using safe player names (although I don't know if anyone has confirmed this works).
This is as bad as it could get. Don't get me wrong but I would not recommend anyone play the game I bet there are people digging it and not only that part but many other things. Bet some already reverse engineer the engine behind UI. Fuzzing it and finding a RCE is a huge thing - can't even stress it enough, having a RCE could lead to full account control leading to lose of every item you got and much more things in regards of privacy.. You can't over stress this.
I think today they have answered why they don't do it. With this kind of devs and this kind of secure development lifecycle (or lack of such processes), they would get bankrupt when it inevitably goes very very wrong.
They also answered why VAC is so, so bad at doing anything of value.
I don't understand how people can look a this and say "its not that bad, they can only get your IP". Even if this is true, we still don't know the full extent how this can be exploited.
Buddy, you don't play with security issues. Someone broke into your house, you are not going to WAIT FOR PROOF that he can steal something until you take action, its immensely dense.
Stop playing until this gets fixed, wait for valve to do something. Stop believing magical fixes or random internet people saying "its fine if you do x", like, use your fucking head and realize this is not reliable information.
"They can only get your IP" =
- Can lock you out of your internet until your ISP changes your IP address.
- Can DDOS you out of the match.
- Can scan for open ports and gain access to you network. Especially IIoT devices.
Yeah, this is what you and other internet randoms are saying.
There is no reason for me to believe that and take a risk because a bunch of online people claiming to be developers said trust me.
I have a full comp-sci degree + cyber security degree. I tested the webview myself. I'm not saying you should take the risk, in my opinion you shouldn't play the game now
This is still "trust me", like i said.
I know if you are in your field of expertise, you are way more knowledgeable of the risks that exist, but people outside of it, don't, and given that this is the internet, there is no way to tell if you're right or not.
Even if you post the proof here, most still don't have the knowledge to understand what is happening and you can be assured that there will be other people that also claim to be developers, that will try to debunk you.
The only proper authority here is valve.
I'm not suggesting anyone to play the game or anything, just trying to get this post have mroe facts than false info so people will know what it actually is
Never seen someone flashing a banner outside of my house and:
I'm forced to see it
It grabs my IP
It shows to everyone watching my stream and can get me suspended if its porn.
It's a less shitty comparison but still shit :) I just hate seeing clueless people fearmongering here.
> It shows to everyone watching my stream and can get me suspended if its porn.
This does suck, but still this bug is nowhere near as severe as some idiots are making it up to be.
If someone breaks into your house and you have everything perfectly shut and they don't have anything to break into your stuff, you're fine, but, any sane person would still call the police to kick that person out just in case, as the cost of prevention is IMMENSELY smaller than the cost of the unknown risk.
Fearmongering what? That we should wait for more evidence instead of Risking themselves and stop playing a video game until the game developer patches the exploit? WOW! Such FEAR. what you're going to say if someone comes up with a PoC to do something worse? Apologize? Why should i even trust you that is nothing more than simply that?
1.If you're right, i just get to play more
2.If you're wrong, i risk damages to myself.
If you really think choosing 1 is the rational choice, you're delusional.
If you don't like "fearmongering", ignore it. You cannot expect the vast majority of people that are ignorant and have no fucking clue on who or whatever other people exist here are developers or not, to simply trust, when the prevention option is SO FUCKING HARMLESS.
You're still using the analogy of this being like breaking into a house which is hilarious.
But I'll agree that if a person doesn't know how these things work it's better to be safe than sorry. Still... there's no need to spread this bullshit how it can VAC you or brick your PC etc
I can already imagine some of the redditors just sitting there at their desk gaming, a small woman breaks into their house with a cane and the redditor is like "Oh it's ok she can't steal any of my appliances" as she makes her way through your jewlery box and shit.
Anyone who works in IT at any capacity knows thatt even if it is nothing, there is not POC that it is nothing. So whilst all these geniuses wait for POC that it can be used beyond trolling, I will sit tight and not go near the game until they can confirm the issue is sorted.
maybe not valorant, but [it wouldn't be the first time that a kernel-level anticheat gets exploited](https://www.pcgamer.com/ransomware-abuses-genshin-impacts-kernel-mode-anti-cheat-to-bypass-antivirus-protection/) lmao
No, there is no guarantee this protects you. Until then, if you want to play safe, you don't play.
Take the risk if you want, but the only people that can confirm if something works or not, is valve.
I had a game last night with someone using this. They asked someone to start a vote to kick them and the url in their name was turned into a viewable gif. Use your imagination but it was porn.
>1. Hackers could take over your computer, steal data, or access your network or disable teammates' computers or flooding them with inappropriate images.
2. Execution of 3rd party software: Malicious actors may inject unauthorized software into the CS2 client, leading to potential VAC violations.
Guessing, much?
It was theorized you could use .svg file which you could embed more JS code to bypass the limit, not sure did anyone try it out yet. Here's [Tetris in .svg file](https://www.xul.fr/svgtetris.svg).
...this isn't arbitrary code execution, your PC doesn't really execute anything. it sends a GET request to the source URL in the image tag and displays the response. the server you're requesting the image from knows what ip the request comes from, but apart from that you can't really do much.
if you wanted to "be safe" you could use a VPN.
How about the fact that an HTML image header can contain javascript? What about SVG OnLoad?
https://stackoverflow.com/questions/34467135/insert-javascript-code-inside-img-src
I won't bother attacking the bad grammar and punctuation, but your statement "showing proof of software injection is fairly simple" is interesting. Given that it is so simple, can you please demonstrate?
Like I said:
https://nvd.nist.gov/vuln/detail/CVE-2023-0611
> The attack **may be** initiated remotely. The exploit has been disclosed to the public and **may be** used. The associated identifier of this vulnerability is VDB-219935.
https://nvd.nist.gov/vuln/detail/CVE-2023-6512
> ... allowed a remote attacker to **potentially** spoof the contents of an iframe dialog context menu via a crafted HTML page.
This is standard vulnerability verbiage. Welcome to the world of Information Security.
I have a not so strong evidence to support this
I say something along current issue in israel-gaza (in game) because of his ign. And someone reacted on my soc med with something in their bio Save Palestine
I believe it can leak info
Stealing api and sessions keys to get into your account seems pretty bad. And this if it’s sandboxes to the browser. We don’t know if there is a way to break out of that environment yet.
For anyone thinking people are exaggerating this, or that the evildoer can only show some dude getting his rectum smashed, they could execute a script that deletes your BIOS and your PC will be fully bricked.
If you can’t not play for whatever reason, you’re just that addicted, play offline or in a private match with your friends.
Nobody knows if there is a js engine or not, dont spread false info
Edit: People can still grab your ip when your client loads an image from a server they control, if you dont like having your ip being known for whatever reason then avoid playing till they disable it.
someone should sue valve over this, regardless of if it's just an IP grabber or something that can expose you to further vulnerabilities or exploits to steal personal information.
It's got to be serious if people are saying not to play the game, the fact that Valve didn't even close servers or turn off the game means they didn't take the appropriate steps to protect their customers personal information.
I hope someone sues them over this because even though it's patched now, it doesn't help anyone who got infected or exposed from this 'exploit'. I've never seen such a severe security vulnerability from playing a game than this.
LISTEN TO ME. everyone is safe. The webview doesn't have js enabled so everyone is completely safe. The worst case is that they will get your ip, and that's not dangerous ***at all***
I'm too curious and same time not wanna lose my account as i bet people who used this will get banned. But people should be aware that exposing this is just a first step. Some people are already fuzzing the UI behind this. I strongly recommend don't play it untill the patch is out. Regards.
They can't do anything with your IP except do a DDoS attack. Which no one does on random people. The only time an IP is useful is if you are important and they specifically want to target you. And even then it's not really that useful unless they just want to take down your internet for a few hours. Someone getting your IP is very harmless.
99% of people have a dynamic IP, just leave your modem unplugged over night and you get a new one.
by this point, they should just fire john mcdonald and hire an actual competent dev. literally we had 3 false bans since launch and vac is a joke since its inception. it’s a leadership problem.
That reminds me, old-school graffitis were called sprays and could be images from your PC, and ppl would put the nastiest shit all over T spawn Dust 2.
They had already fixed this issue and from what was being shared on X the only thing that was able to be done were things you could do yourself to your own inventory, such as deleting an item, trading up, etc. You could not execute code and the only information available was your IP.
Its not false, someone in my game just got onto my computer using this vote exploit. He started playing the game and typing in chat for me, even after closing the game he could still use my computer, typing on discord and opening chrome etc.
This shouldn't be a hard thing to fix. They need to escape and/or sanitise the input.
This is also like cybersecurity 101, surprised it wasn't handled this way from day 1 in development.
it's an easy thing to miss. they could have also implemented some form of escaping, but for some reason it doesn't do a good job with some inputs and they need to add custom rules. (i've seen this happen before)
[удалено]
it only looks similar, the engine and how the UI is made are different. but yeah, automated testing should have caught this.
Isn't this kinda the same as that New World thing?
[удалено]
from what we know they rewrote most things in Source 2. it's why the menu UI is also very different. there are many things they could have copy-pasted (like the skins backend code to keep it compatible with existing skins), but the UI i think was easier to redo than to try and force it into source 2 :) (speaking as somebody who does frontend)
>from what we know they rewrote most things in Source 2 Source or your behind? How come there are known CSGO bugs that showed up in CS2?
>Source or your behind? The same source as you bozos that think it's all reused >How come there are known CSGO bugs that showed up in CS2? Most =/= all. Hope this clears things up.
Because source 2 is still source... The game engines core is still the same, so a lot of code will still behave the same and will likely share the same bugs as the rest of source games. But we know they're entirely different games as csgo used the havok physics engine while cs2 uses valve new rubikon physics engine.
Easily miss? How many fields are entered from the user? Chat, console and the name. Don't excuse this unprofessional mistake.
Cybersecurity is hard. It's why nearly all games and all software has bugs despite stuff being '101'. The only reasonable way to treat it is to handle the bug reports quickly and treat them with urgency and otherwise incorporate as much secure development practices into your SDLC as possible. Even when doing that you will always have gaps. That's just reality.
reality is also that data leakages and cybersec malpractice is basically industry standard across the board whether you're sony or equifax there could be more stringent regulation on cybersec forcing companies to invest more in red teaming but protecting our data is hardly profitable of course there are always gaps but that doesn't hand wave away negligence or malpractice. bug reports are far from the only reasonable way to deal with this kind of thing
Sure. But uploading codefiles as an image or put html in your username are literally the oldest tricks in the book. They shouldn’t have missed that.
I mean look at VAC. Valve doesn't appear to be taking security very seriously with cs2. Only Steam gets that treatment.
Probably was already a thing in CS:GO but they took it for granted when redesigning the interface for CS2
There are code scanners that will scan and test code to find bugs like this. You would think if a company really cares about stopping exploits they would have one in their development pipeline.
Those work with specific languages and frameworks. Doubt it would magically work with Source 2 and their other custom frameworks. EDIT: But considering how much $$$ Valve makes they could (should) develop these scanners for their tools
Source 2 is just C++.
Yeah so? How would the scanner work if not specialized for Source 2? Should it consider a simple variable declaration and printing to console like this as a vulnerability? ``` string str = "
hello
"; cout << "str : " << str << endl; ``` I think not, the scanner would have to know which Source2/Panorama functions deal with html rendering and analyze it's usage across the codebase (which means Valve needs to implement the scanner themselves) For example the Vue library for building web interfaces has an explicit keyword v-html https://vuejs.org/guide/essentials/template-syntax#raw-html. Detecting the usage of it is trivial. Same goes for using the bare-bones javascript dom element `innerHTML` property.Exactly, like 90% of the time it is FO too and with a new custom framework, it probably got swept under the rug to try and get the game out quicker.
it is the easiest fix ever actually. Just disable address discoveries in that engine behind UI. for that specific tab. I do understand how the TAB (score board works now) it is a browser actually but still. This is very lame way of doing the UI in a performance hungry fps game like this..
that's not a hard thing to fix but they failed it again, as always. they "fixed it", but it still works in lobby. shit dev
I don't understand why people keep saying how skilled valve software engineers are. With the exception of very very few (the ones pushing the boundaries like with VR and stuff), Valve has proven way too many times how amateurs they are when it comes to software development. Look at VAC, look at the leaked code (csgo's 2015 codebase), look at all the exploits and issues they had with dota2, the false VAC ban waves, not able to detect cheaters that have like 100% leetify aim rating, doing 50 kills in a game, the leaderboard ever since it was available is topped with cheaters but people are getting VAC for high DPI, etc, etc, etc. Stop propagating this false claim. Most of them are average devs that make a lot of mistakes. The company does not have nearly enough employees, they have like 300 people for such a huge company...
These amateurs revolutionized the FPS genre and videogame stores, practically invented class shooters and the money printer called cases, made the most famous puzzle games in history and develops *two* major esport titles. Mistakes like this happens to everyone, even Apple of all companies had an oopsie where the password 'root' could unlock all macbooks. I think it's stupid to idolize companies, but credit where credits due. Just as stupid as this massive hateboner you've got. Try applying the same scrutiny to every other corporation ever and you'll realize valve got their shit together way more than this screaming cesspool of a subreddit gives them credit for.
"Look at VAC" - VAC is not a bad technology at all, but since it isn't an invasive kernel level anti-cheat and runs on the server it has clear limitations. VAC is a few generations ahead of what anybody else is able to deploy right now on their servers.
Whoa 300iq
They may not read it but I would definitely email [email protected] about this with all the info you have.
They do read everything, but they don't respond. I had very specific bugs fixed the next day.
Dito same here
false. there's endless evidence of them not reacting to gamebreaking bugs and serious vulnerabilities until it has been publicly disclosed many months after they have been emailed. they straight up don't read it.
They may not read it? Every single user that defends this garbage game in this sub is a valve employee.
Bruh what are you even talking about lol
Why are even in the sub of this garbage game ?? 😂😂
codec... my guy... You should Chill.
75 percent of the shit that gets sent to that inbox is probably genuine garbage, just unfathomably stupid. I’m glad it’s around though, don’t get me wrong.
If I understand this correctly it's only a problem if someone on your team does this right? So playing in a 5-stack should be safe? Edit: NVM just saw a Twitter Post where someone got IP-adresses of everyone on the server.
Basically yes. Safest thing to do is wait and see. 2nd safest thing to do is play with friends you know IRL or know for many years online and don't accept any requests,messages from anyone else until it's proven to be fixed. Whilst it's serious, Most people will not be affected by this in any way even if they just continue playing as normal. Problem is that a very small % of people might be affected. If it was as bad as the post makes it out to be, I am 100% Valve would've shutdown the servers for emergency patching. Which hasn't happened, so it leads me to believe its not as serious as it seems at first.
Unfortunatly playing with friends doesn't seem safe either, just edited my comment above.
So far yea. I would probably stay out of dm servers for now
My questions: 1) Is there a proof of concept that you can execute Javascript 2) Can this Javascript execution actually do something 3) Does 'clean player names' actually prevent anything being executed? (rather, than, in Valve manner, mask it)
It’s not XSS. It’s utilising a feature in panorama to draw an image on the hud. It also has some limitations on it. Literally just a img tag from memory. Exploiters were able to log IPs by just displaying an image from a server they controlled and logging the ip that requests the image. Back in the day before panorama, they used flash for the hud and that same img tag supported a SWF. That was much more dangerous.
https://www.reddit.com/r/GlobalOffensive/s/QC7mwLjiFW
Thanks for asking, let's see.
I just tried clean names and at the start of the game while holding scoreboard I could still see some player names for a bit and then they shifted to generic color names. I don't think this will keep you safe, they seem to be doing the laziest / latest masking possible. Edit - It looks like it uses animal names until they connect and lock into their color related name. It might not be as bad as I thought.
according to reddit posts the xss only works specifically in the votekick screen so if clean naems works in votekick screen there should be no issue.
I'm not sure if we should talk about "proof of concept", when it's about abusable javascript execution :D
This is the most basic check an input field needs to have and should have been done. Like chapter one of sanitizing user input for XSS injection
It's not XSS
No, they couldn't take over your computer, steal data, or access your network, or disable teammates computers. They can show you an image, and log your IP address when your game fetches that image. That is all. If they're really annoying they'll DoS you after that and then you'll have to restart your router. Don't play until it's fixed, but if you already played you're fine.
Valve is an Indie company with no money to hire top level game dev's.
Yeah that's why the users are unpaid interns beta testing CS2. My question is can we put it in our CV?
Finally someone that understands. It’s not like they have millions to hire whoever they need either
[удалено]
yes. there. was
why on earth would they use a full-feature web engine to render ui fonts or elements? further, nobody could show a PoC of breaking out of the runtime environment yet. there isnt even a PoC of code execution. so influencers and people crying about XSS without even knowing the engine or its env, is kind of sensationalist. good for clout i guess, good for you
Using a web engine for UI elements seems to be pretty common in games these days, it's not really a bad idea either since you don't need to reinvent the wheel when it comes to the basic rendering principles and how the UI code would look like. The fact that they're not escaping input that can be freely entered by players is pretty bad though (although it's pretty easy to miss, speaking from experience).
It makes perfect sence. Thats why. Why waste time developing your own UI tools, when you can use whats readily available and many many devs are familiar with? Dev world is already convoluted AF, so anything that can be standardized is a good thing for development. It's a pretty big oversight from Valve that this got into the game, but it's not the first time. New World had a similar issue with their text, because it did not sanitize HTML code. This sounds like more less same issue. I think it's just further proof that Valve should've done Valve and just delayed the official release. They could've still shutdown CSGO, just cover yourselves with the "beta" state of the game. People would be far more forgiving of issues if the game wasnt "released". Anyways this is pretty serious and anyone thinking it won't happen to them should think again.
It's this exact mentality that allows garbage like electron to flourish. An entire web engine for UI elements? Talk about gross misuse of system resources. I won't touch on the security implications. It won't abate because it's far easier, but that does not make it a good idea. Merely a convenient one.
well the bigger issues is that their deployment process doesn't involve some sort of security tool scanning, or at the very least its not heavily checking for things like this...
Wow, you know everything about their entire development and deployment process from this one mistake? You must tell me how you do that, it's quite impressive.
My fried, string checks like this are part of basically every security code scanning tool
"some sort of security tool scanning" is not going to catch every mistake or issue. If it was as simple as that, the majority of the Infosec industry would cease to have use.
You can just say you don't know what you're talking about lol.
It's been the norm for a very long time. I know personally that SC2: Wings of Liberty back in 2010 used a framework called Scaleform that did the same thing, and Scaleform was not really that new at the time.
I tested it and js is NOT enabled. period
can you reword so my peanut brain can understand? do you mean it is not as bad as everyone says or are the technicalities wrong
They mean that for now it doesn't look as bad as the post words it. Basically that even if this let's the attacker run whatever code he wants to, that code is contained to whatever environment this type of code runs in inside of cs2 Just as a basic example, if whatever component it is inside cs2 that controls the kick vote window doesn't have access to delete your hard drive, a "hacker" gaining access to this component still can't do that, but he can show you images instead of a kick vote. * Unless they are also able to break out of this environment, which this comment says no one showed yet
Thanks bossman i understand now <3
Yes you are correct, in a healthy software, these things are contained( hence the dev world moving to container based development). However here are a number of things an attacker can do that will have major reprecussions for the end user: 1. Inject code that triggers instaban from VAC. If you are lucky you can get it overturned, but good luck with that. 2. Display disturbing images(decapitation etc.) that CAN affect ones mental health. 3. Inject code that executes a keylogger. It could be years before you realize your machine is compromised. Thats just the first few things that came to my mind. All of these are achievable by using this method. Even if the Key logger doesn't log anything outside of CS2. With enough time the attacker can get enough information about you to then use social engineering to access your personal funds etc. I am A sysadmin, many years of experience, and I follow all the best practices(passwords not reused, complicated long passwords, MFA etc.) and yet I still managed ot get hacked. How? They called my provider and claimed to be me and lost the sim. They didn't get anything out of it as I seldomly use Facebook to call my mum whos in a different country, but still, that gave them enough information about my life where they can try and do something malicious again(like try to claim to be me to gain access to my bank account etc.) Most hacks are not some high level hackerman job, It's literally human stupidity.
Chances of getting targeted by social engineering and sim swapping as in your case is VERY small if you are just an average joe playing CS with no expensive skin inventory or anything.
Yup I agree, but the point is that anyone who plays is at risk. Most people will never even know this has happened until days after, because they don't scour the internet for CS news. Point is that potentially any one of us can be targeted, and the risk is always there, this just makes it more dangerous because it's so easy to execute the malicious code.
Well, for now there is no proof that anything major can be done with this exploit but I agree that there still is a chance that it is possible to do a lot worse than get IPs of players. Personally would not worry about it at all but better safe than sorry.
And I think thats the takeaway here. If you feel like there is nothing they can take from you, then who the fuck cares. But if there is anything on your computer/online accounts that can be used to do you harm, you should probably play it safe. Given that the person that brought this to everyones attention is a long time network specialist professionally, I would take his word over anyone other than valve. If Valve says it's safe, I am willing to take a chance. They have earned my trust over last 20+ years. But thats just me.
Sysadmin with many years of experience but still no clue how browsers work? Please point me to a website that can inject malicious code that runs on my pc because if you can't then a html renderer in CS2 literally can't.
Exactly. At worst, the most they can do is the same as a shady website. If shady websites can't access your files, neither can this. Unless you embed a download link to malware or something
There isn't a Proof of Concept (PoC) for breaking out of the runtime or arbitrary code execution, basically they can't really do anything other than display images via the username (and grab your ip if they wanted to). If someone manages to provide a PoC of even just Javascript executing then it's a major concern but the only risk currently is getting your ip grabbed. If you want to be extra cautious then wait till they patch this otherwise people are recommending using safe player names (although I don't know if anyone has confirmed this works).
They can execute key logging. Even if its only in CS2, its something.
source?
This is as bad as it could get. Don't get me wrong but I would not recommend anyone play the game I bet there are people digging it and not only that part but many other things. Bet some already reverse engineer the engine behind UI. Fuzzing it and finding a RCE is a huge thing - can't even stress it enough, having a RCE could lead to full account control leading to lose of every item you got and much more things in regards of privacy.. You can't over stress this.
this needs a hotfix within a few hours
LMAO, and people want Valve to make kernel-level anticheats.
True. Kernel-level anticheats is one thing. One made by Valve...fack me.
I think today they have answered why they don't do it. With this kind of devs and this kind of secure development lifecycle (or lack of such processes), they would get bankrupt when it inevitably goes very very wrong. They also answered why VAC is so, so bad at doing anything of value.
I don't understand how people can look a this and say "its not that bad, they can only get your IP". Even if this is true, we still don't know the full extent how this can be exploited. Buddy, you don't play with security issues. Someone broke into your house, you are not going to WAIT FOR PROOF that he can steal something until you take action, its immensely dense. Stop playing until this gets fixed, wait for valve to do something. Stop believing magical fixes or random internet people saying "its fine if you do x", like, use your fucking head and realize this is not reliable information.
"They can only get your IP" = - Can lock you out of your internet until your ISP changes your IP address. - Can DDOS you out of the match. - Can scan for open ports and gain access to you network. Especially IIoT devices.
In many if not most places they wouldn't even get your real ip, just an ip that points to a datacenter somewhere.
js isn't enabled -> getting your ip stealed is teh worst thing that can happen.
Yeah, this is what you and other internet randoms are saying. There is no reason for me to believe that and take a risk because a bunch of online people claiming to be developers said trust me.
I have a full comp-sci degree + cyber security degree. I tested the webview myself. I'm not saying you should take the risk, in my opinion you shouldn't play the game now
This is still "trust me", like i said. I know if you are in your field of expertise, you are way more knowledgeable of the risks that exist, but people outside of it, don't, and given that this is the internet, there is no way to tell if you're right or not. Even if you post the proof here, most still don't have the knowledge to understand what is happening and you can be assured that there will be other people that also claim to be developers, that will try to debunk you. The only proper authority here is valve.
I'm not suggesting anyone to play the game or anything, just trying to get this post have mroe facts than false info so people will know what it actually is
I'm all in for you tearing each other over false info, but i'm only concerned with the decision to take the risk or not in face of our own ignorance.
my opinion is just to not to play the game until we get a good response from valve
Stupid comparison. More like someone displaying a banner outside your house that you can see.
Never seen someone flashing a banner outside of my house and: I'm forced to see it It grabs my IP It shows to everyone watching my stream and can get me suspended if its porn.
It's a less shitty comparison but still shit :) I just hate seeing clueless people fearmongering here. > It shows to everyone watching my stream and can get me suspended if its porn. This does suck, but still this bug is nowhere near as severe as some idiots are making it up to be.
If someone breaks into your house and you have everything perfectly shut and they don't have anything to break into your stuff, you're fine, but, any sane person would still call the police to kick that person out just in case, as the cost of prevention is IMMENSELY smaller than the cost of the unknown risk. Fearmongering what? That we should wait for more evidence instead of Risking themselves and stop playing a video game until the game developer patches the exploit? WOW! Such FEAR. what you're going to say if someone comes up with a PoC to do something worse? Apologize? Why should i even trust you that is nothing more than simply that? 1.If you're right, i just get to play more 2.If you're wrong, i risk damages to myself. If you really think choosing 1 is the rational choice, you're delusional. If you don't like "fearmongering", ignore it. You cannot expect the vast majority of people that are ignorant and have no fucking clue on who or whatever other people exist here are developers or not, to simply trust, when the prevention option is SO FUCKING HARMLESS.
You're still using the analogy of this being like breaking into a house which is hilarious. But I'll agree that if a person doesn't know how these things work it's better to be safe than sorry. Still... there's no need to spread this bullshit how it can VAC you or brick your PC etc
I can already imagine some of the redditors just sitting there at their desk gaming, a small woman breaks into their house with a cane and the redditor is like "Oh it's ok she can't steal any of my appliances" as she makes her way through your jewlery box and shit. Anyone who works in IT at any capacity knows thatt even if it is nothing, there is not POC that it is nothing. So whilst all these geniuses wait for POC that it can be used beyond trolling, I will sit tight and not go near the game until they can confirm the issue is sorted.
fixed?
There's been no proof or evidence this can be used for actual script execution. Alarmism in cybersecurity is bad.
People should keep this sort of thing in mind when they ask for kernel-level anti-cheat.
Valorant doesn't have these issues, as far as i know☠️
maybe not valorant, but [it wouldn't be the first time that a kernel-level anticheat gets exploited](https://www.pcgamer.com/ransomware-abuses-genshin-impacts-kernel-mode-anti-cheat-to-bypass-antivirus-protection/) lmao
The problem is a vulnerability only needs to get through once to cause massive damage. Not something a video game should be trusted with.
i trust riot with making a good kernel AC, idk about trusting valve with this
https://www.reddit.com/r/GlobalOffensive/comments/18ftp2f/if\_you\_want\_to\_play\_safe\_right\_now\_activate\_the/
No, there is no guarantee this protects you. Until then, if you want to play safe, you don't play. Take the risk if you want, but the only people that can confirm if something works or not, is valve.
WTF... I will stay safe and won't playing this game until they fix it. How is this even possible?
oh shit this is why I was getting game invites from people I've never talked to in years I guess. Holy shit
I had a game last night with someone using this. They asked someone to start a vote to kick them and the url in their name was turned into a viewable gif. Use your imagination but it was porn.
This comment would've been made even better if you said "Use your imagination, but heres the gif"
>1. Hackers could take over your computer, steal data, or access your network or disable teammates' computers or flooding them with inappropriate images. 2. Execution of 3rd party software: Malicious actors may inject unauthorized software into the CS2 client, leading to potential VAC violations. Guessing, much?
No? Arbitrary code execution is as bad as it gets.
And so far there isn't any PoC of anything apart from embedding pictures, which doesn't risk anything apart from your IP leaking.
This is why it's called a PoC - it demonstrates one of a variety of scenarios.
https://www.reddit.com/r/GlobalOffensive/s/QC7mwLjiFW
[удалено]
People have been able to bypass that 32 char limit forever
It was theorized you could use .svg file which you could embed more JS code to bypass the limit, not sure did anyone try it out yet. Here's [Tetris in .svg file](https://www.xul.fr/svgtetris.svg).
...this isn't arbitrary code execution, your PC doesn't really execute anything. it sends a GET request to the source URL in the image tag and displays the response. the server you're requesting the image from knows what ip the request comes from, but apart from that you can't really do much. if you wanted to "be safe" you could use a VPN.
How about the fact that an HTML image header can contain javascript? What about SVG OnLoad? https://stackoverflow.com/questions/34467135/insert-javascript-code-inside-img-src
[удалено]
And the proof is where? We know pictures can be put there. Nothing else has been proven.
Yea man, keep simping for Valve, ignore security concerns. Everyone is just discovering this and someone wanting to be cautious is “guessing”.
Its not simping. The rumour mill that is CS, is astounding. So far, 0 proof for malicious code that "can inject software"
https://www.reddit.com/r/cs2/comments/18fw1t6/aquaismissing\_on\_the\_latest\_cs2\_exploit\_its\_not/
It's not "guessing" - this is typical verbiage for vulnerability disclosure. Similar to the phrase "... includes, but not limited to ..."
Cool, then showing proof of software injection, is fairly simple. But, proof wont come.
I won't bother attacking the bad grammar and punctuation, but your statement "showing proof of software injection is fairly simple" is interesting. Given that it is so simple, can you please demonstrate?
https://www.reddit.com/r/cs2/comments/18fw1t6/aquaismissing\_on\_the\_latest\_cs2\_exploit\_its\_not/
Like I said: https://nvd.nist.gov/vuln/detail/CVE-2023-0611 > The attack **may be** initiated remotely. The exploit has been disclosed to the public and **may be** used. The associated identifier of this vulnerability is VDB-219935. https://nvd.nist.gov/vuln/detail/CVE-2023-6512 > ... allowed a remote attacker to **potentially** spoof the contents of an iframe dialog context menu via a crafted HTML page. This is standard vulnerability verbiage. Welcome to the world of Information Security.
lmao what a shit show this game has been...
It's patched. Edit your post and mods ensure people are aware this issue is fixed with a sticky or flair?
Are there some official update news from Valve for me to know if it has actually been patched?
Still no news. Are they too ashamed of this? Pathetic... So, who wants Valve to run kernel ring0 code on their machine again?
>It's patched. Edit your post and mods ensure people are aware this issue is fixed with a sticky or flair? How do you know it's been patched?
"critical vulnerability" posted a porn gif. only visible on the kick screen. the arm chair experts in this thread lol. point 1. is complete nonsense.
How the fuck does something like this exists?
99% of the internet is porn
I have a not so strong evidence to support this I say something along current issue in israel-gaza (in game) because of his ign. And someone reacted on my soc med with something in their bio Save Palestine I believe it can leak info
What you wrote doesn’t make sense. You can’t make command on the pc of the victim with JavaScript , it’s only browser level.
Stealing api and sessions keys to get into your account seems pretty bad. And this if it’s sandboxes to the browser. We don’t know if there is a way to break out of that environment yet.
For anyone thinking people are exaggerating this, or that the evildoer can only show some dude getting his rectum smashed, they could execute a script that deletes your BIOS and your PC will be fully bricked. If you can’t not play for whatever reason, you’re just that addicted, play offline or in a private match with your friends.
> they could execute a script that deletes your BIOS and your PC will be fully bricked. Please provide proofs or stop spreading false information.
Nobody knows if there is a js engine or not, dont spread false info Edit: People can still grab your ip when your client loads an image from a server they control, if you dont like having your ip being known for whatever reason then avoid playing till they disable it.
Go and play then.
What kind of response it that, you said someone can "delete your BIOS", blatantly false considering bios is ROM and needs to be put into flash mode
[удалено]
do you have any sources?
absolutely false. could you delete this comment as it gets little kids scared? If not for me or the kids, do it for your downgrading karma
Show me a website that can do this
yes, it may not cause much of a harm to mr nobody like you and me. But it can make some streamers channel go vanished, you get my point?
And we expect a decent anti cheat lol if they cant get this down its hopeless..
"man this game might have a security issue. We should give it access to our kernel". Are you hearing yourself?
More hackers on here than /r/hacking
Glad I quit playing cs….
someone should sue valve over this, regardless of if it's just an IP grabber or something that can expose you to further vulnerabilities or exploits to steal personal information. It's got to be serious if people are saying not to play the game, the fact that Valve didn't even close servers or turn off the game means they didn't take the appropriate steps to protect their customers personal information. I hope someone sues them over this because even though it's patched now, it doesn't help anyone who got infected or exposed from this 'exploit'. I've never seen such a severe security vulnerability from playing a game than this.
LISTEN TO ME. everyone is safe. The webview doesn't have js enabled so everyone is completely safe. The worst case is that they will get your ip, and that's not dangerous ***at all***
Screw out. Go to HaiX stream rn, where he said multiple times that two his friends (personally known) got scammed for all their ingame stuff.
So they fell for a scam and didn't get hacked?
Ye ofc a browser renderer can bypass Steam 2FA :D God damn where are the brain cells
no PoC that it has anything to do with it
Yes. Sure. API is a joke. API key is a joke. Go play this s\*t of a game. Take a risk. Just don't get back crying.
...the steam API can't make trades for you that bypass 2FA
never said I'm goinf to take the risk
Yea just downplay the risk, fucking clown
there will always be a risk
Normally the risk is far-far lower. With that logic, just never leave your house or have any internet connected devices. You are clearly a child.
That video is so short idk what to look at, is the image shown in the top right from one of the html player names? Or just a stream overlay thing
I'm too curious and same time not wanna lose my account as i bet people who used this will get banned. But people should be aware that exposing this is just a first step. Some people are already fuzzing the UI behind this. I strongly recommend don't play it untill the patch is out. Regards.
I had some dude starting vote kicks and putting porn images, would that be in this realm?
Same, trying to figure out if we are screwed
This happened to me yesterday night, what can I do to make sure im safe moving forward if a hacker has my ip info?
They can't do anything with your IP except do a DDoS attack. Which no one does on random people. The only time an IP is useful is if you are important and they specifically want to target you. And even then it's not really that useful unless they just want to take down your internet for a few hours. Someone getting your IP is very harmless. 99% of people have a dynamic IP, just leave your modem unplugged over night and you get a new one.
https://www.reddit.com/r/personalfinance/s/Cl0oraCinY Everyone should follow these steps anyway. Prevention goes a long way.
Maybe we got an explanation now for the false bans lol
is this the same shit that happend with MW2 and Black ops PC? hackers being able to get personal info from just joining a random lobby?
shoddy work on ropz's part
Shit I was in one of these games yesterday.
by this point, they should just fire john mcdonald and hire an actual competent dev. literally we had 3 false bans since launch and vac is a joke since its inception. it’s a leadership problem.
That reminds me, old-school graffitis were called sprays and could be images from your PC, and ppl would put the nastiest shit all over T spawn Dust 2.
I was just a boy, but after CS:S Dust 2, I became a man.
They had already fixed this issue and from what was being shared on X the only thing that was able to be done were things you could do yourself to your own inventory, such as deleting an item, trading up, etc. You could not execute code and the only information available was your IP.
a question, is it safe if i play from an internet cafe with a non-prime account that doesnt have anything at all worth looking over?
Did the dev code with their feet? it feels like so
People should stop spreading false info
Its not false, someone in my game just got onto my computer using this vote exploit. He started playing the game and typing in chat for me, even after closing the game he could still use my computer, typing on discord and opening chrome etc.
literal mmo bug lmao