A Source Engine source code leak has apparently popped up online, potentially spelling doom for anti-cheat security in many video games.
The Source Engine is used as the backbone for quite a few games out there. Aside from the Half-Life games, the Source Engine is also used for CS:GO, Team Fortress 2, and DotA 2.
This recent leak reported on /r/truetf2 and elsewhere means that the security of these games may very well be compromised. As this /r/tf2 submission notes, it appears that the source code leak is up to date as of CS:GO's Operation Hydra update and TF2's Jungle Inferno update.
What Are the Implications of the Source Engine Source Code Leak?
The potential problems stemming from the Source Engine source code leak are pretty bad to say the least.
So far, several people claim that there's a potential exploit that could allow affected game servers to tamper with the player's computers in some fashion. As a consequence, one TF2 community has temporarily shut down its servers "for the indefinite future."
Having the source code available makes designing cheats and hacks much, much easier. Until any discovered vulnerabilities are fixed by Valve, it's also quite likely that we'll see an uptick in cheaters and hackers in games that are using the Source engine and are still vulnerable to any of the exploits that may be discovered.
There is one tiny upside to this debacle. Access to the source code means that modding should be much easier for the creative programmers out there in the world. While any potential security issues are certainly concerning, we may be getting some pretty neat improvements to mods (or outright new ones) as a result of this leak.
Valve News Network Denies Leaking Anything
One of the unfortunate implications of this Source Engine source code leak is that Valve News Network's Tyler McVicker is somehow behind this or otherwise involved. Mr. McVicker took to Twitter to deny any responsibility.
This is in response to a recent leak of materials on 4chan.— Tyler McVicker (@ValveNewsNetwor) April 22, 2020
I would like to clear some things up regarding these.
I did not leak anything.
I will be submitting all the evidence I have on the SrcCode leak to Valves legal department. https://t.co/ErW7usmO5a
There were also some private chat logs between myself and an unverified source from Oct of 2016 leaked, likely done to make it seem that the two are related.— Tyler McVicker (@ValveNewsNetwor) April 22, 2020
I want to make this clear. I did not provide any of the code materials to the person who leaked then.
If you have any questions about the events of this morning, feel free to contact me through Twitter DMs, as I have them open.— Tyler McVicker (@ValveNewsNetwor) April 22, 2020
I apologize for the inconvenience of today.
A Quick Chat with Tyler McVicker
Following the above public response to allegations of leaking this source code, I reached out to Valve New Network's Tyler McVicker and had a quick voice chat with him on this issue.
"Well, I don't like being the person that's going, 'I've been framed!'" Tyler McVicker began. "Somebody is trying to make it look like I leaked this code. I had nothing to do with the code leaking."
According to Tyler, he had first heard of the Source Engine source code leak back in 2018 as previously stated in his tweets. Tyler McVicker repeatedly emphasized that he never took possession of the actual code due to the illegality of having it and the risk of the code being used to create hacks, cheats, and other malware.
Things were relatively quiet on this front for the last couple of years, at least in terms of the public having their hands on the engine's source code. However, Mr. McVicker believes that "nefarious" actors already had their hands on it based on two factors.
"I was aware of its existence. I was interested after it leaked in learning things from it if that was possible. I personally was like, 'Oh, that's kind of interesting if this wasn't dangerous.' But unfortunately, it's source code, which is some of the most illegal stuff you could possibly have. So I didn't want to touch that at all."— Tyler McVicker
First, the code was readily available to those who knew where to look. Secondly, he believes that a recent server-crashing exploit for a Source engine game could not have possibly done without having access to this source code, although he was also careful to add that he is not a computer security expert and that it's an educated guess on his part.
Tyler McVicker had been in charge of a small online community at one point that also had some colleagues in the industry with access to the Source engine source code leak. He recently passed ownership over to someone else, and that new owner removed a few people. According to Tyler, one of these unnamed people who were kicked didn't take it that well.
"The one major thing that I would put forward is, the only reason this stuff leaked is just because we kicked a person out of a community group that has been very toxic in the past," he explained. "Actually, what ended up happening was, I just transferred ownership of this little [online community] that I run to a person that I trust because I didn't want anything to do with it anymore. That person restructured the [members of the community] and removed a few people, and then one of those people that were removed from the [community] went berserk — and went on 4chan and tried to frame me for leaking source code."
Based on this additional information, Tyler McVicker's initial tweets make much more sense in context. Given that he says he sent all the information he has to Valve's legal department, we may well find out the identity of the leaker in the future should Valve elect to take this to court.
Are Source Servers Safe?
One burning question on the minds of many a server admin is just how much damage the Source Engine source code leak could do to their communities. In Mr. McVicker's estimation, it won't be all that serious.
"There was already a vulnerability that had to be patched that done through this [source code leak] a couple of weeks ago," Tyler explained. "There was a crash bot that would [go into a game and just end it.] The team behind this system used this code."
"It's been around, it's not new," he added. "It's just [that] the mainstream didn't know about it until today. So I don't think it will be very different than how it currently has been. You're still gonna have hackers."
"I'm not a security expert, but I will say this: if there was a major security vulnerability that could be found within this code, it likely would have already been found."
As we had reached the tail end of our quick chat, I asked Tyler if there was anything else he wanted to add regarding this Source Engine source code leak debacle.
"Yeah, he said. "I didn't leak it!"
"This one really stings, you know? I don't want to have my name attached to something so... bad. I would never do something like this, but a lot of people are assuming that I have done this and making very outlandish claims and assumptions about me as a person and me as a professional, and that really hurts."
Valve Has Reviewed the Leak and is Investigating
Valve's Doug Lombardi has responded to our request for information. Based on what he's said, it's looking like we don't have to worry about servers being in any sort of danger.
Here is Valve's statement on the Source Engine source code leak:
We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018.
From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security).
We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise. In the meantime, if anyone has more information about the leak, the Valve security page (https://www.valvesoftware.
com/en/security) describes how best to report that information.
Doug Lombardi's response corroborates what VNN's Tyler McVicker said about this source code having first leaked back in 2018.
We can't say for sure what the ultimate fallout of this leak will be. Thankfully, it looks like it's now safe to say that the damage (if any) will be minimal.
What do you think of the source code for the Source Engine leaking online? How bad do you think this will be for TF2, CS:GO, DotA 2, and other games that use the Source engine? Let us know in the comments below!