Skip to main content

Valve patches exploit that allowed hackers to hijack computers by fragging opponents

Valve patches exploit that allowed hackers to hijack computers by fragging opponents

Share this story

A newly patched vulnerability in Valve's Source SDK engine could have allowed hackers to hijack your computer in a truly bizarre way: by killing you in Counter-Strike

The vulnerability was discovered by security research firm One Up Security, which published an overview of the exploit. The hack — which Valve commendably patched in less than a day — took advantage of a hole in the engine based around custom assets.

Valve's Source SDK engine which powers some of the most popular games on the internet, including Counter-Strike: Global Offensive, Team Fortress 2, Portal 2, and Left 4 Dead 2, and many of those games allow for players to upload custom content into map files, like new texture or sound effects. In One Up Research's hack, a specially created "ragdoll" animation could be loaded into custom games to take advantage of the vulnerability in the engine. Then, if a player is killed in that game — which then triggers the ragdoll animation for their corpse — the malicious code would be also be triggered, allowing hackers to run code remotely on your machine and potentially cause some damage to your system. 

Given that the problem has already been fixed on Valve's end, it's unlikely that we'll actually see users getting their computers compromised by losing in Team Fortress 2. Still, it’s an entertaining glimpse at an alternate world where computer security depends not on how good your passwords are, but rather how good you are at not dying in a Valve game.