Counter-Strike 2, one of this generation’s most famous online games, has recently suffered an HTML injection flaw that exposes its players’ IP addresses.
Valve, the company that developed the POV shooting game, immediately rectified the flaw to safeguard users’ privacy. Based on reports, the vulnerability is a problem in the HTML injection that would allow an unauthorised entity to inject images into the game interface.
This issue directly compromises Counter-Strike 2 as it relies on Valve’s Panorama UI, a sophisticated user interface incorporating CSS, HTML, and JavaScript for design layout. As part of this design, developers can design input fields to accept HTML without proper sanitisation, making any entered text HTML on the output.
The Counter-Strike 2 bug appears in one of the in-game voting panels.
Numerous reports from different players appeared after encountering the Counter-Strike 2 bug with unusual images on the kick-voting panel. Despite some users taking the bug as a simple joke, other participants exploited the vulnerability to obtain the IP addresses of fellow gamers within the match.
The technique involved using the <img> tag to activate a remote IP logger script, recording the IP address of every player exposed to the panel. However, the harvested information could initiate malicious purposes since parties who obtained the data could launch Distributed Denial of Service (DDoS) campaigns to disrupt players’ connections and force them to disconnect from the match.
Fortunately, Valve immediately released a minor 7MB patch that would fix the vulnerability. The update ensures that any input HTML will undergo sanitation to a regular string. This patch would display the interface as a string instead of rendering injected HTML in the user interface, preventing potential exploitation.
However, Valve has yet to respond to the inquiries regarding the patch’s effectiveness in addressing the current issue.
This incident is similar to one in 2019 involving Counter-Strike: Global Offensive’s Panorama UI. Still, that vulnerability was more severe since it allowed unauthorised individuals to inject not only HTML but also the execution of JavaScript.
The issue became a critical XSS vulnerability capable of remotely executing commands; hence, CS gamers should be more careful with their data and report similar bugs to the developers immediately to avoid compromise in the future.
