Someone has posted the source code of Team Fortress 2 and Counter-Strike: GO on 4chan, the controversial imageboard website that keeps its users anonymous. From there, users grabbed the code and proceeded to share it on Reddit, Twitter, torrent sites, gaming forums, etc. Immediately, panic hit the vast player base of the two Valve titles, as people felt that anyone could now discover and exploit vulnerabilities in the games. That would lead to the dropping of malware on the players’ systems, RCE attacks, and various other malicious scenarios.
Do not launch TF2 under any circumstances, Remote Code Execution exploits have already been found which means you can receive a virus from simply joining a server with a cheater. This is not a drill.
— Heavy Update Out Yet (@HeavyUpdateOut) April 22, 2020
Upon investigating the leak, Valve figured that the code is dated, and concerns code depots shared with partners three years ago. The same files also leaked in 2018, so Valve was aware of their availability online. As the video game developer and publisher states, there is no reason for players to feel that they are in danger when launching CS:GO or TF2. The video games company will continue to investigate and monitor incoming reports on the Valve security page. Still, from what seems to be the case, digging in that three-years-old source code does not reveal any flaws, at least nothing that is still present on the current builds.
We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.
— CS2 (@CounterStrike) April 22, 2020
From our review, we have not found any reason for TF2 players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security).
— Team Fortress 2 (@TeamFortress) April 23, 2020
Multiplayer games that launch through Steam cannot stagnate at an older stage for long. Players are forced to update sooner or later, as everyone needs to be running the latest available client version since otherwise, they cannot access the multiplayer lobbies. That said, the only thing you should be doing is ensuring that you are playing on official servers. No legit exploits have been published anywhere, there is no evidence that there’s a way to exploit any vulnerabilities, so there’s no tangible or realistic reason to worry about right now.
As for the person who leaked this online, Valve’s legal department will have some work to do on that part. Some are pointing to Tyler McVicker (Valve News Network), who denied having leaked the code and also claimed to know who did it. Others look at Discord groups “Cephalon” and “YSU Calc II,” where parts of the leak appeared two years ago. And finally, some accuse Valve employees of being responsible for the initial exposure, stating that they have received VSS images (backup volumes) from them in the past.