Custom game modes have been a part of Dota 2 since its inception. They’re a way for players to create their own modified versions of the game, including spin-offs like Auto Chess, Overthrow, and Pudge Wars.
It turns out, however, there was a massive security hole in them for about a year between 2022 and 2023, giving hackers backdoor access to players’ computers.
The issue was fixed via a minor patch on Jan. 12, but Avast Threat Labs, who first discovered and reported the threat to Valve, revealed the shocking details about how it worked.
According to their report, a hacker created four custom games—’entitled test addon pls ignore,’ ‘Overdog no annoying heroes,’ ‘Custom Hero Brawl,’ and ‘Overthrow RTZ Edition,’—all of which were adaptations of popular modes.
The difference, however, was they exploited a vulnerability in V8, Google’s open-source JavaScript and WebAssembly engine, to gain backdoor Dota 2 access.
Fortunately, Valve handled the situation well. Not only did they push a fix immediately, but they also took down the custom games, notified affected players, and introduced new measures to prevent similar things from happening in the future.
But while custom games are safe to play, it’s still important to keep a lookout for ones that seem dodgy, since other security holes could pop up at any point.
