Light shed on the Dota 2 custom games that hacked players’ computers

Michael Hassall

Michael Hassall

A detailed report has lifted the veil on a series of custom games that weaponized a JavaScript vulnerability in Dota 2.

Details have emerged about a JavaScript vulnerability that exploited Dota 2 custom game modes to attempt to gain backdoor access to players' computers. The exploit, which was patched in the Jan. 12 Dota 2 update, was revealed to the public by Avast Threat Labs on Feb. 9. 

Avast Threat Labs had previously reported the exploit to Valve, who as per the report by Jan Vojtěšek, immediately pushed the fix, took down the custom games, and notified affected players. In addition, Valve also reportedly introduced new measures to prevent custom game’s vulnerability.

Dota 2 custom games backdoor exploit

According to Avast Threat Labs, four malicious custom games were added to the Steam workshop, all developed by a single user. These were entitled test addon pls ignore, Overdog no annoying heroes, Custom Hero Brawl, and Overthrow RTZ Edition. These games used a vulnerability in V8, Google’s open-source JavaScript and WebAssembly engine, to gain backdoor access to players' computers. Frequent Dota 2 Arcade users will also recognize that three of these are all adaptations and recreations of some of the most popular game modes on the platform.

The attacker used copies of popular game modes to exploit the vulnerability (Screenshot by Esports.gg)
The attacker used copies of popular game modes to exploit the vulnerability (Screenshot by Esports.gg)

The backdoor could reportedly execute JavaScript, which could have potentially harmed users' systems. But as the report describes, it seems that the custom games were just part of a test of backdoor functionality. Additionally, according to Valve the attack only affected around 200 players. 

Are Dota 2 custom games safe?

With the vulnerability patched and Dota 2 updated, custom games are definitely back to being safe. However, the exploit shows that there are potentially malicious actors out there willing to use players’ excitement for new game modes against them. And the potential danger was much higher than the eventual result.

"...the attacker could try to sneak in the JavaScript backdoor. Since game modes are updated automatically in the background, the unsuspecting victim players would not have a lot of opportunities to defend themselves.”

Avast Threat Labs report

Avast Threat Labs’ report gave worrying examples of potential attacks: “A malicious attacker could attempt to take over a popular custom game mode. Many game modes are neglected by their original developers, so the attacker could try something as simple as promising to fix bugs and continue development for free. After some number of legitimate updates, the attacker could try to sneak in the JavaScript backdoor. Since game modes are updated automatically in the background, the unsuspecting victim players would not have a lot of opportunities to defend themselves.”

So while custom games are safe, it’s best to make sure you’re playing recently updated game modes with trustworthy developers. Games like Ability Arena, Dota Auto Chess, 12v12, and others.

Avast Threat Labs report ends with praise for Valve in their swift response and future plans for mitigations. So while many of us sit waiting for the next patch, know that Valve sometimes has bigger fish to fry, protecting us from malicious actors.