There are two news stories today. Unfortunately, some people have difficulty uncoupling the two.
- The Team Fortress 2 Source Code has been leaked.
- Hackers discovered a Remote Code Execution exploit.
The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient reason to uninstall the game and wait for a fix to be released. Good on everyone for reporting that. You’re being responsible. (If it’s real, that is! See update at the bottom.)
The first point might explain why the second happened, which is fine for the sake of narrative… but by itself, a source code leak is a non-issue that nobody in their right mind should worry about from a security perspective.
Anyone who believes they’re less secure because the source code is public is either uninformed or misinformed.
I will explain.
Why Source Code Leaks Don’t Matter for Security
You should know that, throughout my time online as a furry, I have been awarded thousand dollar bounties through public bounty programs.
How did you earn those bounties?
By finding zero-day vulnerabilities in those companies’ software.
But only some of those were for open source software projects. CreditKarma definitely does not share their Android app’s source code with security researchers.
How did you do it?
I simply reverse engineered their apps using off-the-shelf tools, and studied the decompiled source code.
Why are you making that sound trivial?
Because it is trivial!
If you don’t believe me, choose a random game from your Steam library.
Right click > Properties. Click on the Local Files tab, then click “Browse Local Files”. Now search for a binary.
If your game is a typical C/C++ project, you’ll next want to install Ghidra.
Other platforms and their respective tools:
If you see a bunch of HTML and JS files, you can literally use beautifier.io to make the code readable.
Open your target binary in the appropriate reverse engineering software, and you can decompile the binary into C/C++ code.
Congratulations! If you’ve made it this far, you’re neck-and-neck with any attacker who has a leaked copy of the source code.
Every Information Security Expert Knows This
Almost literally everyone working in infosec knows that keeping a product’s source code a secret doesn’t actually improve the security of the product.
There’s a derisive term for this belief: Security Through Obscurity.
The only people whose job will be made more difficult with the source code leak are lawyers dealing with Intellectual Property (IP) disputes.
Remote Code Execution is bad.
The Source Code being public? Yawn.
Update: Shortly after I made this post, I was made aware of another news story worthy of everyone’s attention far more than FUD about source code leaks.
Now this is the kind of story that makes Twitter worthwhile!
Is the RCE Exploit Even Real?
Update 2: I’ve heard a lot of reports that the alleged RCE exploit is fake. I haven’t taken the time to look at Team Fortress 2 or CS:GO in any meaningful way, but the CS:GO team did have this to say about the leaks:
Fake news and old news are strange (yet strangely common) bedfellows.
3 replies on ““Source Code Leak” is Effectively Meaningless to Endpoint Security”
[…] recent post about the alleged source code leaks affecting Team Fortress 2 and Counter-Strike: Global Offensive made the rounds on Twitter and made someone very mad, so I got hate […]
[…] of my early blog posts in April (about source code leaks being effectively meaningless to endpoint security) got a lot of attention on social media and even got cited by The […]
[…] worked in software security for a long time. One of my earliest blog posts cited my HackerOne profile as a data point for taking my opinion seriously, but I never really considered myself a “bug […]