There’s been an “incident” within CS2 that allowed players to execute remote commands on other server players by having a weird script as their username and then initiating a votekick on themselves, which then executes the script on everyone. Is this patched, and is it safe to play CS2 now?
Has the Votekick Script Issue Been Fixed in CS2?
Valve will not explicitly officially confirm that there was an exploit of this kind nor that it was fixed (if it doesn’t exist, how can you fix it?) However, there is a hint in one of the latest Patch Notes that the issue may have been resolved, so let’s have a look.
CS2 Release Notes for 12/13/23
- Added all-new 2024 Service Medal, which will be available starting January 1st
- Fixed an issue that prevented some older demos from playing back
- Fixed multiple exploits that allowed adding non-text data into UI labels
- Added the ability to add a Friend by using their friend code
- Added a lister for multiple lobby invites
- Adjusted wear values of some community stickers to better match CS:GO
This is just a fragment of the release notes, but the one that matters the most for this article. Based on this, we can conclude that CS2 is now safe to play. Multiple exploits were discovered and all of them have been dealt with.
The “non-text data into User Interface labels” probably refers to the HTML code that was injected into players on CS2 servers by the person who wanted to abuse the exploits (while they were active).
What Could Have Happened to Me If I Was a Victim of This Exploit?
Based on my research, here’s the list of potential problems that could have happened to you:
- Your IP address could have been grabbed (in most cases, nothing special can be done to you, especially if you have a dynamic IP address that constantly changes).
- Images may be shown to you (potentially NSFW stuff).
- Remote scripts can be executed (i.e., instead of an image link, you may get “dragged” to a script link), but I haven’t 100% confirmed this yet.
What Should I Do If I Suspect That I Am a Target of This Exploit?
Usual security precautions are advised:
- Keep Windows Defender active and updated, at least. It’s good to prevent most of the threats in the wilderness that we know as the Internet. Some users use free/purchased security software, but that’s not always necessary for most users. To avoid making this sound like an under-the-table product endorsement, I’ve used it in the past, but I stopped because I am careful about the websites that I visit.
- Check with your ISP if your IP address is dynamic or static. You can Google “What’s my IP address?” and Google will show it to you. Restarting your router and getting another one when you repeat the query probably means it’s dynamic. In that case, you’re going to be OK because your old IP address will bear no significance to the person having it. If it’s static, your ISP should have DDoS protections enabled, and your Windows (or any other) Firewall should be of sufficient help to block any unwanted traffic. After all, it’s not easy to barge into someone’s computer just like that, or else everyone and their grandmothers would do it out of fun. In the majority of cases, your actual home address/location is not visible when you try to check the location of the IP address. In my case, for example, my IP address leads to the address of headquarters of my Internet Service Provider, so my privacy is intact.
- If you want to try one of those “popular” VPNs, that shouldn’t be necessary for this problem. If anything, you’ll probably only have worse ping than by connecting directly, and you’ll perform worse as a consequence.
If you are feeling stressed out over this, try and practice some smokes.