Gamers logging on to Valve’s popular first-person shooter, Counter-Strike: Global Offensive (CS:GO), earlier this week found themselves confronted by a rather aggrieved and aggressive wall of text spammed in the game lobbies.
According to screenshots from CS:GO players, the text said that security issues in-game were going unnoticed and unmitigated by Valve, who were instead, according to the complaints, more interested in getting money from players than fixing security issues, as “in its current state it is unplayable”.
Within a day of this hack going live, a Valve staff member commented on the complaint thread that the exploit had been mitigated via a “temporary solution,” with a more permanent fix coming within a week or so.
Ironically, the spammed text says that “we are customers that are willing to pay for a good game without hackers and bugs,” though the tactic used by the spammers exploits an in-game vulnerability that allowed them to spam multiple game lobbies – apparently even including private lobbies – with this text for hours, if not days, over and over, according to the Reddit thread where this issue was initially reported. In essence, they hacked the game to prove that the game is hackable.
In addition, the hackers responsible for the text spam have also published their script for lobby hacking, making it possible for anyone to copy their attack if they were so inclined until the hotfix was deployed.
The volume of the lobby text-spam and the infiltration of private rooms certainly annoyed and spooked a number of players, judging by the comments in the Reddit thread. Opinions are certainly mixed if the hackers made their case: certainly in-game cheating is and has been a problem in highly competitive games like CounterStrike for a very long time, and almost anyone who plays these games encounters people using bots or cheats at one point.
Game companies are often in an arms race to deploy more sophisticated countermeasures to clamp down on the practice. But while spamming game lobbies and making the game more difficult to play may have grabbed attention from players and Valve alike, it’s questionable if the hackers’ tactics really helped their cause.
While there are many approaches to disclosure recommended in the field, the approach the hackers took here is akin to dropping a zero-day with no coordination with the vendor. We would have recommended a more coordinated disclosure approach, giving Valve specific details on an exploit used by cheaters, and then allowing them a chance to investigate and respond before making the details public.