Hacker Exploits Flaw in Dota 2 to Create Malicious Custom Games

pcmag.com:

A hacker found a way to hijack computers by abusing the popular PC game Dota 2 to serve up malicious computer code. 

The findings(Opens in a new window) come from antivirus provider Avast, which uncovered a hacker exploiting a vulnerability in Dota 2’s JavaScript engine capable of launching rogue computer code on a victim’s PC. 

The problem: Dota 2 had been using an outdated version of the V8 Javascript engine from December 2018, according to Avast researcher Jan Vojtěšek. That same software was vulnerable to a flaw Google researchers discovered(Opens in a new window) in 2021. 

By default, Dota 2 will only run authorized versions of JavaScript over the V8 engine. So players remain safe if they stick to the main game. However, Dota 2 also lets users run custom games developed by the player community. 

That’s how the hacker was able to exploit the outdated V8 Javascript engine. Vojtěšek uncovered the culprit publishing at least four malicious custom game modes for Dota 2 over Valve’s Steam store that were designed to abuse the flaw. 

“Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players,” he added. 

One of the four malicious game modes discovered actually appeared to be test environment for the hacker to tinker with the exploit. This game mode was simply labeled “test addon plz ignore.” But in examining it, Avast was able to understand how the attack worked. This included spotting a file capable of “logging” information from a victim’s PC and executing arbitrary commands. 

The hacker then added the malicious functions in three game modes for Dota 2 titled “Overdog no annoying heroes,” “Custom Hero Brawl,” and “Overthrow RTZ Edition X10 XP.” A backdoor in