Source code for Team Fortress 2 and Counter-Strike: Global Offensive was reportedly leaked to the public today, which has created fears that player security could be at risk.
The source of the leak isn’t currently certain, but according to SteamDB the code is dated from 2017-18, and was previously made available to Source engine licensees.
Source code for both CS:GO and TF2 dated 2017/2018 that was made available to Source engine licencees was leaked to the public today. pic.twitter.com/qWEQGbq9Y6April 22, 2020
Valve News Network’s Tyler McVicker claimed in a Twitch stream that the code originally came from a “member of the Source engine development community” in 2018. According to McVicker, members of Source Engine modding team Lever Softworks took steps to “contain” the leak after he warned Valve and received no response. The person who leaked the code today was not the same person who originally leaked it, he said, but a disgruntled former member of Lever who had recently been booted from the group.
“I did not leak this source code, and in fact I never had it,” said McVicker. “I was very aware of it, and in fact the warning signs of the original leak—it was very apparent, and then it did leak sometime in late 2018, and then my little group of Source Engine developers, all on this Lever Softworks Discord server, were discussing the leak and how to contain it, how to keep it from hitting critical mass.
“Because unfortunately if it had hit critical mass, it wouldn’t really hurt any one individual in particular. It would hurt the Source engine development community as a whole, because if Source code leaks, Valve then pulls the ability to have that source code to develop off of.”
McVicker did not identify the original “Source engine development community” leaker he references, nor today’s leaker. However, his story is backed up by fellow Valve enthusiast Jaycie Erysdren, who explained the story from her perspective on Twitter.
There’s still some uncertainty around the source of the leak, but the more immediate issue is the reported discovery of remote code execution bugs in the source code, noted in this TF2 subreddit thread, which unscrupulous programmers could use to compromise the security of TF2 and CS:GO players. Remote code execution is what it sounds like: the ability to make someone else’s PC execute code or commands remotely. Such a vulnerability would be very dangerous.
“Allegedly, a remote code execution exploit that could be used to run malicious code on your client has already been discovered and many more of that kind are likely to come,” a notification on the official Red Sun Discord says. “I recommend you not to play the game at all on online servers until Valve themselves gives us the clear.”
Due to the recent source code leak we will be closing our servers for the forseeable future. This is because of the uncertainty surrounding security of our infrastructure, as well as a potential for damage to be caused to your computer.https://t.co/gWcIKRMPdjApril 22, 2020
This isn’t the first time that an RCE bug has been found in Source Engine games. In 2017, a “buffer overflow vulnerability” was discovered that left TF2, CS:GO, Portal 2, and others open to exploits that could be triggered simply by shooting at an enemy. In that case, however, the bug was found by a security research company, which notified Valve and then went public after the bug was fixed. The current leak could reveal new RCEs before Valve has a chance to correct them.
McVicker says in his video that he’s provided all the information he has to Valve’s legal team. We’ve reached out to Valve for more information, and will update this page as the story develops.