The source code for CS:GO and Team Fortress 2 leaked earlier today on 4chan. This has caused many people to recommend that players should avoid playing either game since it could put them in danger of exploitation.
Since the source files are now available, many hackers will likely be messing with the online servers, which in turn could impact millions of players who access either game’s online modes.
The source code in question is from 2017-18, which was previously made available to Source engine licensees to use. But even though the code is from an older model, the files inside could lead to advanced exploits being developed for both titles.
Valve has yet to comment on the leak, but multiple community-run servers for TF2, like Creators.TF and Red Sun, have announced that they’ll be shutting down all operations until something is done to counter potential exploitation. Reddit moderators on r/tf2 and r/counterstrike are recommending that players completely avoid playing either game, at least until Valve responds.
These measures are being pushed to try to keep players safe from any Remote Code Execute (RCE), which has been used in the past to push viruses, turn on aimbot for any player, or delete inventory items through the servers.
“Basically you are significantly more vulnerable in multiplayer matches,” an r/tf2 moderator said. “It is definitely possible that someone could install a virus on your machine by just being in the same server. Your items and steam profile could also be targeted. For your own safety we would advise that you hold off playing until this problem has been resolved. I do not know how long that will be but we will keep you posted.”
Until an official statement is made by Valve, it’s recommended that CS:GO and TF2 players avoid playing online or booting up the game entirely, if possible. There haven’t been any confirmed RCE attempts yet, but it’s better to proceed with caution.
Update April 22 4:45pm CT: Valve posted an update from the official CS:GO Twitter account about the leaked source code, saying that it hasn’t found “any reason for players to be alarmed or avoid the current builds.”
“We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018,” Valve said. “As always, playing on the official servers is recommended for greatest security. We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise. In the meantime, if anyone has more information about the leak, the Valve security page describes how best to report that information.”