A new vulnerability in the famous multiplayer game Counter Strike 2 has been revealed, exposing players’ IP addresses via an HTML injection issue. This security flaw poses a serious risk to gamers’ privacy and online safety, possibly enabling fraudulent actors to target people for DDoS (Distributed Denial of Service) attacks. The gaming industry and the game’s developer, Valve Corporation, have been notified of the problem, requiring an immediate response to patch the vulnerability.
Valve is said to have patched an HTML injection bug in CS2 that was widely exploited today in order to inject images into games and collect other players’ IP addresses.
Developers can customise input areas as part of the design layout to accept HTML instead of sanitising it to a regular string. If HTML was enabled in the field, any text entered would be rendered as HTML when output.
Today, Counter-Strike players began complaining that they were exploiting an HTML injection issue to inject photos into the kick vote panel.
While the problem was generally utilised for simple fun, others took advantage of it to gain the IP addresses of other players in the match.
This was carried out through the use of the image> tag to launch a remote IP logger script, which stated the IP address of every player who witnessed the vote kick.
These IP addresses could be used maliciously, for example, to perform DDoS attacks that force participants to disconnect from the match.
Valve revealed a modest 7MB update this afternoon that allegedly resolves the vulnerability and converts any inputted HTML to a standard string.
For example, after installing the patch, instead of the injected HTML being rendered by the user interface, it will simply be presented as a string.
BleepingComputer asked Valve to see if this update corrected the issue, but has yet to get a response.
In 2019, a similar, but more significant, flaw was discovered in Counter-Strike: Global Offensive’s Panorama UI, allowing HTML to be injected via the kick function.
Analysis and Research
Cybersecurity experts investigated the flaw and confirmed that it could have consequences. Attackers could not only disrupt games but also jeopardies players’ network security by exploiting this bug. The study emphasized the need of sanitizing user input and the need for strong security measures in online gaming settings.
How should I react if it seems that my IP address has been harmed?
If possible, change your IP address, monitor your network for strange behaviour, and consider working with a VPN in the future to hide your IP address.
Has Valve issued a patch to address this vulnerability?
As of the knowledge cutoff date, Valve had been notified of the problem and was most likely working on a patch. Users should check for updates on a regular basis and install them as soon as they become available.
How can I prevent myself from such flaws?
Keeping your software up to date, be wary of links and user-generated content in games, and think about utilising additional security measures like firewalls and VPNs.
Will this flaw affect other games or apps?
HTML injection flaws have the ability to impact any programme that renders HTML content. In order to prevent such attacks, developers must clean user input.
Where can I report a security issue with Counter Strike 2?
You can report security issues to Valve Corporation via their bug bounty programme or their official support channels.