ardate:

fuckyeahtf2:

A tweet from @SteamDB has been released stating the following, containing an image of numerous folders from the leaked code:

Source code for both CS:GO and TF2 dated 2017/2018 that was made available to Source engine licencees was leaked to the public today. 

As such, there have been numerous tweets and recommendations to not play these games due to chances of security exploits that could potentially brick your PC such as this tweet from @teamfortresstv:

Due to the recent source code leak for TF2, there have been reports of RCEs (Remote Code Executions) being discovered in the game. For this reason, we highly recommend against playing Team Fortress 2 until a response from Valve is released.

While there has been no confirmation of malware or exploits confirmed regarding RCE, Cathook (which has been infamous for recent hacker bot waves and server crashes) has been cited as the biggest danger involving this. The programming language C++ has a potential to enable buffer overflow exploits if a bug is present that allows it.

(cw slurs)

Allegedly, a screenshot has began rotating around regarding Cathook posting in the official TF2 alerts. It has not been confirmed whether this screencap is real or not.

Regardless of the multitude of information flying around, it is recommended to not play either Counter-Strike: Global Offensive or Team Fortress 2 until the issues have been addressed for safety. 

We will continue to update on this situation as more information is clarified and addressed.

Mod Note | Uber: Our other admin CriticalFlaw who actually knows things about coding is probably the best person to discuss more about it, so Iâll reach out and see what he has to say. 

THIS SCREENSHOT IS FAKE.
Here is the real version, unphotoshopped. You can see they replaced the pfp up left and the text.

Donât fall for this. People are very happy to spread rumors and fakes everywhere. There is indeed a risk for your computer ans steam account but donât go around spreading fakes to cause panic.

EDIT: I BEG YOU to reblog this version, we have to shoot down rumors and fakes going around. As a big TF2 discord moderator I can tell you it is a PAIN stopping this shit from spreading out, and I sure hope youâll all help me from slowing this down on tumblr too.

@agunwieldingcatâ @wachtelspinatâ @slightly-gay-pogohammerâ 

This information is correct, and as such weâve edited our original post to confirm the screenshot is fake. Weâve noticed a lot more screenshots going up from multiple sources that are in-game alerts; those also appear to be fake. We will now cover the earlier explained risks for PCs and Steam accounts:

CURRENT UPDATES:

A tweet from Valveâs official CSGO account has stated they are aware of the leak of code repo and have made a statement:

We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.

As always, playing on the official servers is recommended for greatest security.

We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise. In the meantime, if anyone has more information about the leak, the Valve security page describes how best to report that information. 

The Valve security page can be found here: https://www.valvesoftware.com/en/security

The Valve team account is reported to have backed the CSGO account statement. No word on Team Fortress 2â²s social media has been made yet regarding this exploit.

REGARDING RCE ACCESS:

There has been a lot of misinformation spread in the forms of fearmongering as well as zero risk situations. Other than the screencap being confirmed fake, weâll clarify a lot of our original posts to get through this as concisely as we can with the knowledge we have or have been given by programmers:

True: We mentioned there has been no confirmation of malware or exploits confirmed regarding RCE. This still remains true; as of right now, TF2 does not have an active confirmed RCE exploit. Even if an exploit had been found, it has been reported as very likely that these exploits are complicated to craft, so being developed on Day One of an exploit is almost impossible in likelihood.

False: We wrote that Cathook (which has been infamous for recent hacker bot waves and server crashes) has been cited as the biggest danger involving this. As of right now, this is false. While Cathook is responsible for the recent aimbot crisis as well as server crashes (which have been since patched), there is no evidence linking to Cathook developing anything related to RCE beyond their original aimbot & lagbots for TF2.

True: The programming language C++ has a potential to enable buffer overflow exploits if a bug is present that allows it. Outside of Team Fortress 2, this is a thing that is possible with C++ involving overfilling an allocated buffer with executable code and additional data and rerouting return addresses.

False/True: It is recommended to not play either Counter-Strike: Global Offensive or Team Fortress 2 until the issues have been addressed for safety. CSGO has recently issued a statement that they are safe. TF2 has not yet issued as statement that they are safe. 

We also want to cover additional questions and statements made recently around social media regarding fearmongering and zero risk. There is fearmongering, but to say there is no risk at all is disingenuous:

Fearmongering Is Happening - âTrueâ: As it stands, Team Fortress 2 accounts being hacked into with methods currently talked about is unlikely. The methods being discussed most is putting malware or turning your accounts into aimbots upon joining a server. However, in 2019-2020 after these type of exploits were patched and looked into, it does seem unlikely. Additionally, people posting screencaps now that have been shown to be as above fake is part of this. This falls under the âfearmongeringâ misinformation.

There Is No Risk At All - âFalseâ: As it stands, there have been reports of an RCE from TF2 from 2017, 3 years ago, that can supposedly be done from just being in the server. Coincidentally, these source code depot leaks are from 2017.

This reported RCE is not active and not a current threat. However statements that have been saying that in TF2â²s history there has NEVER been a major RCE exploit, as such, are untrue. This falls under the âzero risk at allâ misinformation. 

It is still recommended to avoid playing Team Fortress 2 until more information is posted by an official TF2 source about TF2 specifically, as well as once there is more information about the exploit found and confirmation of its existence or non-existence. 

Mod Note | CriticalFlaw: It may not happen to most people playing, but the threat is there and I think it’s better to be save than sorry until it’s known how this particular RCE works and/or Valve responds/fixes it.

Even if the screenshots posted to Reddit are fakes meant to stir people, with the source code being out there, a malicious variant of the RCE can and probably will be developed.

We will continue to update information as we receive it and information is further received or clarified.

A tweet from @SteamDB has been released stating the following, containing an image of numerous folders from the leaked code:

Source code for both CS:GO and TF2 dated 2017/2018 that was made available to Source engine licencees was leaked to the public today. 

As such, there have been numerous tweets and recommendations to not play these games due to chances of security exploits that could potentially brick your PC such as this tweet from @teamfortresstv:

Due to the recent source code leak for TF2, there have been reports of RCEs (Remote Code Executions) being discovered in the game. For this reason, we highly recommend against playing Team Fortress 2 until a response from Valve is released.

While there has been no confirmation of malware or exploits confirmed regarding RCE, Cathook (which has been infamous for recent hacker bot waves and server crashes) has been cited as the biggest danger involving this. The programming language C++ has a potential to enable buffer overflow exploits if a bug is present that allows it.

(cw slurs)

Allegedly, a screenshot has began rotating around regarding Cathook posting in the official TF2 alerts. It has not been confirmed whether this screencap is real or not.

Regardless of the multitude of information flying around, it is recommended to not play either Counter-Strike: Global Offensive or Team Fortress 2 until the issues have been addressed for safety. 

We will continue to update on this situation as more information is clarified and addressed.

Mod Note | Uber: Our other admin CriticalFlaw who actually knows things about coding is probably the best person to discuss more about it, so Iâll reach out and see what he has to say. 

EDIT: Mod Note | CriticalFlaw: At this moment, I’d say it’s a real risk to be playing TF2. While I’m not familiar with how this RCE works, I have read about another RCE for TF2 from almost three years ago. It can supposedly be done with just being in the server. It may not happen to most people playing, but the threat is there and I think it’s better to be save than sorry until it’s known how this particular RCE works and/or Valve responds/fixes it. 

Even if the screenshots posted to Reddit are fakes meant to stir people, with the source code being out there, a malicious variant of the RCE can and probably will be developed.