Share this article on:
Gamers have been observed abusing a flaw in Counter-Strike 2, which allowed them to inject images into players’ user interfaces and view their IP addresses.
The flaw, which has reportedly now been patched by the game’s publisher, Valve, is an HTML injection vulnerability that would allow users to inject images into the game’s user interface, which, in this case, is Valve’s Panorama UI.
Panorama UI is built around HTML, CSS, and JavaScript and allows input fields to be reconfigured by developers to accept standard HTML without needing to be sanitised into a regular string. Any text inputted, therefore, would be rendered as HTML, allowing for images to be embedded.
For the most part, images are being embedded within the “vote to kick” pop-up that appears in-game, with majority of the content being purely for fun.
theres an exploit in cs2 which allows you to use javascript for example to embed images in lobby invites and votekicks by adding a javascript line in your steam @valvesoftware @CounterStrike pls fix :3 pic.twitter.com/TRV0JCJc12
— vallu (@valluXD) December 11, 2023
However, there have also been cases observed of gamers injecting HTML code that results in the IP addresses of other gamers being seen.
Malicious actors would do this by injecting a remote IP logger script in the same field, meaning any player who viewed the vote to kick pop-up (which would be all players in the session) would have their IP address logged.
With an IP address, a malicious actor can achieve a lot, including using it to launch distributed denial-of-service (DDoS) attacks, access geographic information, impersonate you, track online activity and, through port scanner, hack a device by finding out what vulnerable apps it is running.
Valve has reportedly fixed the vulnerability with a seven-megabyte update, which has led to injected HTML code now appearing as a standard string, as shown in a below post on X.
Yes, it is. That's the point of the picture. pic.twitter.com/SGtaev8eGO
— Aquarius (@aquaismissing) December 11, 2023
A similar vulnerability was found in Panorama UI in 2019, which allowed HTML to be similarly injected. However, this also allowed the execution of JavaScript code, making it much more dangerous.