Game bugs are usually well-known to appear when unexpected results happen from the code used in the game build. While some of these bugs tend to be game breaking such as the infamous NAVI fountain hook back in 2013, others tend to be far more harmful by putting players' cybersecurity at risk.
While Dota 2’s mainly played game modes such as Turbo & Ability Draft are secured using Valve’s VAC (Valve Anti-Cheat) engine, the other game modes in the Arcade section tend to not have that security.
Valve hotfixed the vulnerabilities upon discovery
For those unfamiliar with cybersecurity, a vulnerability found within the code can often be used to deliver malicious code to a victim’s computer. This in turn would allow the attacker to obtain access to the victim’s computer, gaining sensitive information or potentially damaging the hardware.
While all of the newly created game modes must go through a verification process performed by Valve in order to be available for usage on the Steam Workshop, four of the malicious game modes somehow managed to pass Valve’s verification process.
If a player subscribes to the affected arcade game through Steam’s workshop, they will also unknowingly install malware through which cyber attackers can gain access to their computer. Following this discovery, the investigators submitted their findings to Valve, the game’s publisher. In response, Valve issued a hotfix by .
Valve has since addressed this potential security issue. Although there was no indication that the identified exploits were used for malicious purposes, Valve took proactive measures to improve Dota 2’s cybersecurity which can be lauded. The company has also removed the custom games that were the source of the potential security threat.