Normally, when we talk about video games having bugs, it’s some kind of item duplication glitch or a hilarious failure in the jacket equip code of some tedious first-person-shooter online wardrobe simulator. Counter-Strike 2 has had a more embarrassing faux-pas, however, with a security hole allowing bad actors to theoretically capture the IPs of their fellow players in a server. You won’t believe how this came to happen.
The exploit has already been making its way around the forums, with one [Crouch9706] raising the alarm. It’s all down to the way Counter-Strike 2 renders the names that players have entered in their Steam gaming profiles. In certain menus and other parts of the UI, the game will actually parse HTML in a player’s name. Typically, the way to trigger it is to join a game and vote to kick yourself. This brings up a dialog for other players that shows them your player name and parses the HTML. The only limitation is you only get 32 characters for your HTML.
There’s a nifty little extra trick to this, though, in that you can use this technique to snag another player’s IP. By putting in HTML that links to your own server, you can log any player IPs that connect to the server seeking an image, for example.
Of course, it’s not the biggest risk, with many players being behind ISPs that use CGNAT, making the harvested IPs rather useless. However, this sort of unexpected code injection is really not acceptable from a security standpoint. At the very least, it has the potential to expose players to nasty imagery.
Word on the street (Nitter) is that the exploit has now been patched. Meanwhile, if you’re working on a game that for some mad reason, executes code based on player names or any other such data, consider patching your work ASAP. If you find similar exploits in the wild, don’t hesitate to hit up our tipsline—and notify the developers, too!
If anyhing, it’s a testament to the amount of bloat modern software floats around in, that an arbitrary text string for a first person shooter ends up in a fcking HTML renderer!
That’s what I’ve thought too, how fragile is your framework to allow such easy exploit?
Don’t get me wrong, I know there is a LOT of things to think of when you develop a GUI framework, but I feel that if you laid it down correctly, such security flaw don’t happen (especially if you take the approch to disallow everything by default)
It’s showing the opposite. The GUI is an html interface already. It shouldn’t be all that surprising that wanting a model dialog in an html renderer would also itself be rendered in html.
Bloat would be adding yet another framework on top of the html renderer just to handle dialog boxes.
Or put another way, when you made your post here and typed into the “name” field, it should not be surprising that arbitrary text string is rendered as html in the webpage.
This was entirely a failure to sanitize that input. Perhaps they assumed Steam sanitized it before handing it off to them (not that this excuses it, but seems a likely reason)
Nuance-bro (or Valve employee) here to tell us all that making everything a webpage is good, actually. Nah, not buying it.
Everything a webpage? No. Terrible idea.
But I recommend you take a whack at implementing an OpenGL-rendered UI framework from scratch that has support for all the design features of HTML demanded by the UI/UX designers. I spent a month working on a much, much simpler subset of features and even things like aligning elements are so full of edge cases I gave up and switched to embedded Chromium rendered to a texture.
But Anonymous-bro (or armchair game dev) here to tell us all that doing everything from scratch every time is good, actually. Nah, not buying it. You’ll waste millions in man hours just trying to get FlexBox working the way the designers expect it to.
CS2 was made by Valve. Why would they assume that?
Steam developer is Valve?
o_o
*That’s my point.* The CS2 devs have physical access to the people who make Steam. Why would they *assume* anything?
I wouldn’t call it hilarious. A username should be very simple. A simple unicode string or even an ascii string would have been enough. Perhaps allowing some escape characters for custom formatting (like many forums use). HTML is overkill and without sanitizing it can send data or execute code.
That’s a gross oversimplification of the whole system. It’s not *just* a string. The entire panorama UI used by CS is HTML based.
https://xkcd.com/327/
This was the case already in CS 1.6 (and CZ.). I used to change my font color to something parsing as illegal color, which would render as invisible.
I really don’t understand why IP’s are such a ‘hot topic’ now?? (since a year or so tops?)
We’ve always had them and they’ve always been public? whois info is also public and that has also always been the case? (wich is why most ISP’s just point all whois data to their own office??) why is it suddenly ‘news’ that we all have an ‘online address’? (nothing against HaD btw, seeing this mentioned everywhere)
With all due respect etc in my mind this has an incredibly high script kiddie score, big effin whoop you can see my IP? omg? did you know i can see yours too? we’re such a bunch of 1337 haxxorz!… ???
Seriously, when some stupid kid tells me my IP in a game i laugh at them and invite them to definitely go and waste waste time and/or money trying to DDOS me, unless they actually pay some service for it it’s not like they will take down my 200mbps connection that i’m pretty sure ALSO has DDOS protection 🤷♂️
Surely your best idea for what harm someone could do with your home’s IP is not that they might try and interfere with your connection?
Anyway, examples: Take IRC. Plenty of people have always obfuscated their home IP’s on there, and avoided sharing enough other info to get doxed. And there was quite awhile where it was much less common to use real names at all, it was fully expected that someone who was active on the internet may have tons of different usernames they operated under depending what they were doing.
Not even the President uses his real name online if he can help it.
If it reads html, I wonder if you can also feed it JavaScript and treat the screen names like bookmarklets.
This bug could actually be escalated to remote code execution according to videos floating around the web.