A big CS2 XSS vulnerability was spotted in Valve's FPS sequel
EDIT: Valve has already pushed out a fix for exploits involving UI code injection. Read all about it here.
Probably best to wait for the next patch before entering a lobby.
CS2 is one of the hottest releases of the year so far. Created by Valve, the sequel to the classic FPS improved on a lot of things that CS:GO seemingly perfected. But no game is without its flaws, and Counter-Strike 2 seems to have a big one.
Just recently, word spread about a CS2 major bug involving Cross-site Scripting or XSS. Numerous videos on YouTube confirmed the steps needed to reproduce the security flaw, and its a tad bit concerning.
DO NOT PLAY CS2 RIGHT NOW
You can XSS by just using HTML in your Steam name…
The below example shows someone setting their name to an IP grabber and getting the IP address of all players on the server.
Obviously you can do a lot more with XSS be warned. pic.twitter.com/003fC4KlbQ
— ONSCREEN (@onscreenlol) December 11, 2023
CS2 XSS Bug
We won't reveal the CS2 XSS bug process here (it's a few clicks away on Google, which is frightening), but it exploits the characters a Steam username can have to inject code into another computer across a CS2 match. The information they can get from you includes your router's IP address and your “general” geolocation. Some cases have had scripters perform DDoS attacks on other players' systems.
Now exploits like the CS2 XSS Bug aren't new. We've seen them across games over the years, causing DDoS attacks and whatnot. But it's fairly surprising to see such a flaw — one that should've been hammered out in early development — fly over Valve's head.
Ex-Blizzard developer “Thor” also commented on his stream about the recently discovered CS2 XSS Bug exploit, detailing what a cross site scripting attack does and how it can steal information about someone else's IP address.
Protecting your information from malicious scripters is top priority, so we'd suggest taking a few days off from the game until we see Valve address the CS2 XSS Bug, which should be soon.
For the latest esports news, follow us on ESTNN.