How Dota 2 Was Exploited Using a V8 Javascript Bug Found in the Game

Ammar Aryani
Updated On: 
<div class="paragraphs"><p>How Dota 2 Was Exploited Using A V8 Bug Found in The Game</p></div>
While bugs are commonly found within any games including Dota 2, some bugs tend to cause harm to the player’s hardware or software.
Avast Threat Labs, which claims to be a network of cybersecurity researchers, discovered security threats from multiple Dota 2 Arcade game modes using vulnerabilities found in the game’s Javascript engine.
Following the discovery of the threats, Valve announced that it had hotfixed the issue by upgrading the version of the engine that it was using back in January.

Game bugs are usually well-known to appear when unexpected results happen from the code used in the game build. While some of these bugs tend to be game breaking such as the infamous NAVI fountain hook back in 2013, others tend to be far more harmful by putting players' cybersecurity at risk.

While Dota 2’s mainly played game modes such as Turbo & Ability Draft are secured using Valve’s VAC (Valve Anti-Cheat) engine, the other game modes in the Arcade section tend to not have that security. 

Valve hotfixed the vulnerabilities upon discovery

According to a recent article by Avast Threat Labs, which claims to be a network of cybersecurity researchers, it discovered that cyber attackers had taken advantage of Dota 2’s outdated V8 Javascript engine by exploiting the vulnerabilities found within.

For those unfamiliar with cybersecurity, a vulnerability found within the code can often be used to deliver malicious code to a victim’s computer. This in turn would allow the attacker to obtain access to the victim’s computer, gaining sensitive information or potentially damaging the hardware.

Cyber attackers created a game mode for Dota 2 Arcade and used vulnerabilities in the outdated V8 Javascript engine to insert malicious code into the game. These vulnerabilities were exclusively found in the Arcade section of the game. Dota 2’s native matchmaking modes and lobbies were protected thanks to Valve’s anti-cheat solutions.

While all of the newly created game modes must go through a verification process performed by Valve in order to be available for usage on the Steam Workshop, four of the malicious game modes somehow managed to pass Valve’s verification process.

If a player subscribes to the affected arcade game through Steam’s workshop, they will also unknowingly install malware through which cyber attackers can gain access to their computer. Following this discovery, the investigators submitted their findings to Valve, the game’s publisher. In response, Valve issued a hotfix by upgrading the old and vulnerable version of the V8 Javascript engine while also immediately taking down the exploited custom games on the Steam Workshop back in January.

Valve has since addressed this potential security issue. Although there was no indication that the identified exploits were used for malicious purposes, Valve took proactive measures to improve Dota 2’s cybersecurity which can be lauded. The company has also removed the custom games that were the source of the potential security threat.

Published On: 
author profile picture
Ammar has been actively engaged in the esports industry in Malaysia in multiple roles in the past. Now, he utilizes his esports expertise to create insightful and meaningful content as the de facto Dota 2 writer at AFK Gaming.