Looks like there’s a drip somewhere in Valve’s spigot. Source code for both Team Fortress 2 and Counter-Strike: Global Offensive has apparently been made public. The files appear to be from years ago, though that may not prevent present troublemakers from doing their thing. Some fan servers are worried enough that they’ve gone offline until they can assure that these leaks won’t compromise the security of players. So far it’s unclear where the leak originated, though of course that hasn’t stopped anyone from guessing or pointing fingers.
Update: Valve have now responded to RPS to say they are still investigating but currently “have not found any reason for players to be alarmed or avoid the current builds” of either game.
“We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security). We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise. In the meantime, if anyone has more information about the leak, the Valve security page describes how best to report that information.”
Valve also shared this update via CS:GO’s Twitter profile.
Apparently these files first actually leaked back in 2018 but have only just made it to the general public. Routine Valve-follower and creator of the (unaffiliated) Valve News Network, Tyler McVicker, says that he was aware of the leak in 2018 and warned Valve about it.
Some rumours have called McVicker the source of the leak, though he denies those claims and in a Twitter thread says he will provide all information he has on the leak to Valve’s legal team. Other rumours point the finger at a former associate of McVicker’s lashing out. Regardless of the source, the files are out there.
With access to the source code, there’s a concern that wronguns could cause mayhem for players. Some player-run servers are already shutting down to protect against possible security vulnerabilities. Redsun, for starters, have notified their Discord members that they are temporarily shutting down their servers after hearing reports that someone discovered “a remote code execution exploit that could be used to run malicious code on your client.” Oof.
“All of this is more of a precaution than an actual threat,” Redsun added in a Steam post. “Being able to actually see how the game’s internals works means you can spot bugs that could allow for exploitation that otherwise could never have been found. Expect a rise in cheats, but wait back for word from Valve for anything else.”
Creators.tf are doing the same with their servers, citing “uncertainty surrounding security of our infrastructure.” Both are cautioning players not to play on any TF2 or CS:GO servers until Valve make an official statement, which seems like a sound plan.
This isn’t Valve’s first time about this particular block. Half-Life 2’s source code was leaked before it launched, causing a great deal of embarrassment for Valve—and legal charges for the hacker behind it.
Without official word from Valve, we can’t say for sure the true scope for security concerns. We’ve reached out to Valve for comment and not yet received a response.