The discovery of leaked source code for two popular games – Counter-Strike: Global Offensive (CS:GO) and Team Fortress 2 – has led to security concerns and even calls for gamers to uninstall the software from their computers.
The developer and publisher of the two games, Valve, is downplaying the source-code leak, saying it does not see “any reason for players to be alarmed or avoid the current builds.” In a statement posted on the CS:GO and Team Fortress 2 Twitter accounts, Valve said the source code in question is older, dating to 2017 — and that it was already part of an existing leak from 2018.
“We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise,” said Valve on Wednesday. “In the meantime, if anyone has more information about the leak, the Valve security page…describes how best to report that information.”
We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.
— CS:GO (@CSGO) April 22, 2020
The code was first posted on the /v/ board on 4Chan, on Tuesday. Source-code access is typically limited to Source Engine licensees, Valve employees and contractors – so the idea that anyone could get their hands on it has worried gamers that it could open the door for cheating. It also has raised concerns about serious security issues like the installation of malware, remote code-execution attacks or the development of zero-day exploits.
Both of the first-person shooter games are wildly popular, with 300 million players worldwide playing CS:GO; and tens of thousands playing Team Fortress 2 daily – potentially opening up a wide threat surface for attack. The discovery of the code led to widespread calls on Twitter and Reddit for players to not play the games, or to even uninstall the software from their computers. Some sites that allow gamers to share content for Team Fortress 2 (Creators.TF and Red Sun) announced they’ll shut down their servers.
However, as mentioned by Valve, the code isn’t new: The CS:GO code ends with Operation Hydra, which was released in 2017, while the Team Fortress 2 source code ends with the Jungle Inferno update from 2017 (according to a Newsweek report).
Source code for both CS:GO and TF2 dated 2017/2018 that was made available to Source engine licencees was leaked to the public today. pic.twitter.com/qWEQGbq9Y6
— Steam Database (@SteamDB) April 22, 2020
Valve continues to face security issues over the years. In March 2019, a proprietor of a Counter-Strike gaming server promotion service used multiple zero-days in the Counter-Strike client to create a large botnet, made up of fake game servers for the popular online multiplayer game. Also last year, a researcher dropped two zero-day vulnerabilities that affect the Steam game client for Windows, after Valve said it wouldn’t fix it.
“As always, playing on the official servers is recommended for greatest security,” said Valve’s statement.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.
