Valve left a security flaw in Dota 2 for two years until someone tried to exploit it
In context: Released in 2013, Dota 2 is still one of the most popular multiplayer experiences among MOBA aficionados. And for 15 months, millions of Dota 2 players were potentially vulnerable to remote code execution attacks because of Valve's carelessness.
Valve is infamously known for taking its sweet time making a new Half-Life game (actually, any new game) or counting up to three. The digital distribution giant co-founded by Gabe Newell is seemingly as lax regarding dangerous security vulnerabilities, putting players of one of its most popular titles at risk and letting hackers go wild with their malicious experimentations.
The more than four-year-old version was riddled with potentially dangerous security bugs. What's worse is Dota 2 doesn't run V8 with any sandbox protection. A bad actor could have exploited the issue to run malicious code remotely against Dota players. According to Avast, that's what happened before Valve finally updated the V8 engine.
Avast researchers discovered that an unknown hacker was testing a potential exploit against CVE-2021-38003, an extremely dangerous security flaw in the V8 engine with an 8.8/10 severity rating. At first, the hacker made a seemingly benign test by publishing a new custom game mode — a way for players to change the Dota 2 experience — with an exploit code for CVE-2021-38003 embedded inside.
Google patched CVE-2021-38003 in October 2021. Meanwhile, the unknown hacker started experimenting in March 2022. Dota 2 developers didn't bother fixing the issue until January 2023, when Avast informed them of its findings. Further analysis to find other exploits was unsuccessful, while the true motivations of the Dota 2 hacker remain unknown.