Update: we have heard from Valve, who assures users that playing on official servers is perfectly safe. We've included their statement in the article below.
The source code for Team Fortress 2 has apparently been leaked, leading to hackers reportedly able to deliver malware through Remote Code Execution to other players.
This leak was initially reported by @SteamDB on Twitter, with the source code in question dating back to 2017 and 2018, affecting Counter-Strike: Source and Team Fortress 2. According to a report on the issue from PCGamesN (opens in new tab), several Team Fortress 2 server communities have advised players to avoid the game until further notice.
Source code for both CS:GO and TF2 dated 2017/2018 that was made available to Source engine licencees was leaked to the public today. pic.twitter.com/qWEQGbq9Y6April 22, 2020
Valve has reached out with a comment, saying "We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security)."
Valve goes on to clarify that it's investigating the problem and anyone who has any information can report it on Valve's security page (opens in new tab), which will explain how to fix the issue.
However, according to @HeavyUpdateOut (opens in new tab) on Twitter, "Remote Code Execution exploits have already been found". It's important to note, however, that @HeavyUpdateOut is simply a fan account, and while it's unbelievably popular, you should take the extent of this damage with a grain of salt.
Do not launch TF2 under any circumstances, Remote Code Execution exploits have already been found which means you can receive a virus from simply joining a server with a cheater. This is not a drill.April 22, 2020
The community has taken the lead with this issue, with a post on the TF2 subreddit warning users away (opens in new tab) from playing TF2 or CS:GO until the problem is patched out. That post does state that "If you aren't playing on any multiplayer servers you are not at risk" – but it may be best to avoid the affected games entirely.
We are also hearing unconfirmed reports that all current multiplayer Source-based games may be affected, including Garry's Mod.
Until Valve comes out and makes a statement or updates the game in some way, this is unconfirmed. But, because this is potentially a danger to your data security, our advice would be to avoid playing until the problem has been properly addressed by Valve.
We're going to be doing some further investigation on our end, as well, and will update as soon as we get any more information. Until then, maybe it's time to check out one of the best PC games just to play it safe for now.
This is a developing story.
Why is this so dangerous?
We have to reiterate that reports of Remote Code Execution in Team Fortress 2 and other Valve games have been unconfirmed. In fact, in that Reddit thread we mentioned earlier, mod Demoman clarifies that the source code is "an old version and was initially leaked about a year or two ago". And further that "it is unlikely but not impossible that security flaws such as RCE (Remote Code Execution) exist".
Still, the risk of RCE in the first place is a pretty substantial threat. Through this particularly nasty flavor of malware, an attacker can gain full control of your PC, and execute any code without your permission.
Wannacry was a pretty major example of a cyberattack enabled through RCE last year. This was a piece of ransomware that encrypted all files on victim's PCs, demanding a substantial payment through cryptocurrency.
So, even if RCE hasn't been actively confirmed, the fact that it's even a possibility in the present state of the game means that it's best avoided. If an attacker is able to pull it off, all of your data is potentially at risk.
- Check out the best gaming PCs