Counter-Strike 2 Vulnerability Patched After HTML Injection Exploits, Exposing Player’s IP addresses
Valve has reportedly addressed and fixed a significant HTML injection flaw in Counter-Strike 2 (CS2) that was being exploited to inject images into games, potentially exposing players’ IP addresses. Initially mistaken for a severe Cross-Site Scripting (XSS) vulnerability, it was clarified as an HTML injection flaw, specifically allowing the injection of images.
CS2 utilizes Valve’s Panorama UI, a user interface heavily reliant on CSS, HTML, and JavaScript for design. The flaw involved the misuse of HTML injection to insert images into the kick voting panel. While some users exploited it for harmless amusement, others took advantage of the vulnerability to extract IP addresses of fellow gamers in the match.
theres an exploit in cs2 which allows you to use javascript for example to embed images in lobby invites and votekicks by adding a javascript line in your steam @valvesoftware @CounterStrike pls fix :3 pic.twitter.com/TRV0JCJc12
— vallu (@valluXD) December 11, 2023
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
By utilizing the <img> tag, malicious actors could trigger a remote IP logger script, logging the IP address of every player exposed to the vote kick. This information could potentially be misused, leading to actions like launching DDoS attacks to disconnect players from the ongoing match.
Valve responded promptly by releasing a small 7MB update that reportedly fixes the vulnerability, ensuring that any entered HTML is sanitized to a regular string. This prevents the rendered user interface from displaying injected HTML and minimizes the risk of further exploitation.
Yes, it is. That's the point of the picture. pic.twitter.com/SGtaev8eGO
— Aquarius (@aquaismissing) December 11, 2023
Trending: Recon Tool: ReconSpider
BleepingComputer reached out to Valve for confirmation on the effectiveness of the update but has not received a response as of yet. Notably, a similar but more critical bug was discovered in Counter-Strike: Global Offensive’s Panorama UI in 2019, allowing HTML injection via the kick feature and presenting a potential remote execution of commands through JavaScript.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
