Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Counter-Strike 2 flaw exposes IP addresses, allows for image injection

Gamers have been observed abusing a flaw in Counter-Strike 2, which allowed them to inject images into players’ user interfaces and view their IP addresses.

user icon Daniel Croft
Tue, 12 Dec 2023
Counter-Strike 2 flaw exposes IP addresses, allows for image injection
expand image

The flaw, which has reportedly now been patched by the game’s publisher, Valve, is an HTML injection vulnerability that would allow users to inject images into the game’s user interface, which, in this case, is Valve’s Panorama UI.

Panorama UI is built around HTML, CSS, and JavaScript and allows input fields to be reconfigured by developers to accept standard HTML without needing to be sanitised into a regular string. Any text inputted, therefore, would be rendered as HTML, allowing for images to be embedded.

For the most part, images are being embedded within the “vote to kick” pop-up that appears in-game, with majority of the content being purely for fun.

============
============

However, there have also been cases observed of gamers injecting HTML code that results in the IP addresses of other gamers being seen.

Malicious actors would do this by injecting a remote IP logger script in the same field, meaning any player who viewed the vote to kick pop-up (which would be all players in the session) would have their IP address logged.

With an IP address, a malicious actor can achieve a lot, including using it to launch distributed denial-of-service (DDoS) attacks, access geographic information, impersonate you, track online activity and, through port scanner, hack a device by finding out what vulnerable apps it is running.

Valve has reportedly fixed the vulnerability with a seven-megabyte update, which has led to injected HTML code now appearing as a standard string, as shown in a below post on X.

A similar vulnerability was found in Panorama UI in 2019, which allowed HTML to be similarly injected. However, this also allowed the execution of JavaScript code, making it much more dangerous.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.