No backdoor protection: Dota 2 players were at risk of being hacked via ​​custom games for almost a year

The saga is over, thankfully.

Custom game modes have been a part of Dota 2 since its inception. Theyre a way for players to create their own modified versions of the game, including spin-offs like Auto Chess, Overthrow, and Pudge Wars.

It turns out, however, there was a massive security hole in them for about a year between 2022 and 2023, giving hackers backdoor access to players’ computers.

The issue was fixed via a minor patch on Jan. 12, but Avast Threat Labs, who first discovered and reported the threat to Valve, revealed the shocking details about how it worked.

According to their report, a hacker created four custom gamesentitled test addon pls ignore, Overdog no annoying heroes, Custom Hero Brawl, and Overthrow RTZ Edition,all of which were adaptations of popular modes.

The difference, however, was they exploited a vulnerability in V8, Googles open-source JavaScript and WebAssembly engine, to gain backdoor Dota 2 access.

Fortunately, Valve handled the situation well. Not only did they push a fix immediately, but they also took down the custom games, notified affected players, and introduced new measures to prevent similar things from happening in the future.

But while custom games are safe to play, its still important to keep a lookout for ones that seem dodgy, since other security holes could pop up at any point.

Latest comments
No comments yet
Why not be the first to comment?