CS Invite Exploit

This exploit allowed sending messages (including links) to any player directly in-game, while completely breaking the UI in the process. This was an accidental discovery while reverse engineering CS:GO (CS2)'s internal APIs for a project similar to my VALORANT matchmaker.

During my research, I discovered that lobby invites, which usually feature metadata related to the lobby, had zero input sanitization for any of its fields. While testing, I discovered the country code field accepted text far longer than the standard 2-letter code, allowing for custom messages to be displayed. This text field also allowed for newline characters, allowing for breaking the ui by filling the entire screen, making invites unclickable, and hiding the sender's account.

Realizing the country code field could hold any message, and that CS:GO allows inviting any player (due to the in-game Looking to Playsystem), I built a Discord bot to test targeted invites to specific players.

Curious of the large-scale implications of a exploit like this, I decided to go to the extreme and implemented a system to automatically send invites to many CS:GO players with a Discord server link. Despite requiring manual URL entry in a browser, thousands of users joined the Discord server. Having proven the vulnerability's severity, I kept exploit details private and reported it to Valve in hopes of getting it patched.

As of today, the exploit is now semi-patched. Spoofing and mass invites still work, but custom written messages are not as disruptive as before. Due to this, I've open-sourced the code on GitHub and written a technical writeup.