Valve left a security hole in Dota 2 for two years until someone tried to exploit it
In the context: Released in 2013, Dota 2 is still one of the most popular multiplayer games among MOBA fans. And within 15 months, millions of Dota 2 players were potentially vulnerable to remote code execution attacks due to Valve’s inattention.
Valve is notorious for spending time making a new Half-Life game (any new game, really) or counting up to three. The digital distribution giant co-founded by Gabe Newell appears to be just as casual about dangerous security vulnerabilities, putting players of one of its most popular games at risk and allowing hackers to go crazy with their malicious experiments.
The version, which is over four years old, has been riddled with potentially dangerous security bugs. To make matters worse, Dota 2 does not use V8 with any kind of sandbox protection. An attacker could use the issue to remotely launch malicious code against Dota players. According to Avast, this is what It happened before Valve finally upgraded the V8 engine.
Avast researchers discovered that an unknown hacker was testing a potential exploit against CVE-2021-38003, an extremely dangerous V8 engine security vulnerability with a severity rating of 8.8/10. At first, the hacker performed a seemingly harmless test by publishing a new custom game mode – a way for players to change the gaming experience – with embedded exploit code for CVE-2021-38003.
Google fixed CVE-2021-38003 in October 2021. Meanwhile, an unknown hacker began experimenting in March 2022. The developers of Dota 2 didn’t bother to fix the issue until January 2023, when Avast informed them of their findings. Further analysis to look for other exploits was unsuccessful, and the true motives of the Dota 2 hacker remain unknown.