Hacker Exploits Flaw in Dota 2 to Create Malicious Custom Games

A hacker found a way to hijack computers by abusing the popular PC game Dota 2 to serve up malicious computer code. 

The findings(Opens in a new window) come from antivirus provider Avast, which uncovered a hacker exploiting a vulnerability in Dota 2’s JavaScript engine capable of launching rogue computer code on a victim’s PC. 

The problem: Dota 2 had been using an outdated version of the V8 Javascript engine from December 2018, according to Avast researcher Jan Vojtěšek. That same software was vulnerable to a flaw Google researchers discovered(Opens in a new window) in 2021. 

By default, Dota 2 will only run authorized versions of JavaScript over the V8 engine. So players remain safe if they stick to the main game. However, Dota 2 also lets users run custom games developed by the player community. 

That’s how the hacker was able to exploit the outdated V8 Javascript engine. Vojtěšek uncovered the culprit publishing at least four malicious custom game modes for Dota 2 over Valve’s Steam store that were designed to abuse the flaw. 

(Credit: Avast)

“Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players,” he added. 

One of the four malicious game modes discovered actually appeared to be test environment for the hacker to tinker with the exploit. This game mode was simply labeled “test addon plz ignore.” But in examining it, Avast was able to understand how the attack worked. This included spotting a file capable of “logging” information from a victim’s PC and executing arbitrary commands. 

The hacker then added the malicious functions in three game modes for Dota 2 titled “Overdog no annoying heroes,” “Custom Hero Brawl,” and “Overthrow RTZ Edition X10 XP.” A backdoor in these game modes “can execute arbitrary JavaScript downloaded via HTTP, giving the attacker not only the ability to hide the exploit code, but also the ability to update it at their discretion without having to update the entire custom game mode,” Vojtěšek wrote.

The good news is that Valve patched the vulnerability on Jan. 12 with an update(Opens in a new window) to the V8 engine that took effect immediately after Avast reported the problem to the company. Valve didn’t immediately respond to a request for comment. But the company told Avast the hacker’s activities only affected 200 players. 

The hacker’s intentions remain unclear. When Avast uncovered the malicious game modes, the hacker’s control server for the exploit was already inactive. Still, the attack shows a creative and menacing way to infect large numbers of PC gamers since some Dota 2 custom games can command thousands or millions(Opens in a new window) of players.

“For example, a malicious attacker could attempt to take over a popular custom game mode. Many game modes are neglected by their original developers, so the attacker could try something as simple as promising to fix bugs and continue development for free,” Vojtěšek wrote. “After some number of legitimate updates, the attacker could try to sneak in the JavaScript backdoor.”