April 22nd 2020

Update 2: At this time, it's pretty clear that any possibility of a new Remote Code Execution exploit having been developed is essentially null.

While personally we did not think it reasonable that the release of source code of a massive project (such as the TF2 codebase) would result in the discovery of a major RCE exploit within hours, there was a clear demand for an unpacking of the situation from a reputable source. It seemed irresponsible to recommend that others simply play the game, even if the chance of any real risk was quite low.

The truth is, the discovery of an exploit on the scale of an RCE is generally difficult to find (not always, of course), and with a codebase the size of TF2's, it would take a while to find. Additionally, those willing to deal with disassembled/decompiled code have always been able to poke around with the game's client code (well, a version of it). The source code leak made things easier, but would not accelerate discovery of an exploit to the extent that'd be required for something to already have been developed.

Ultimately, the leak of this code is of great concern to Valve, but it's probably mainly Valve that has to worry about the negative consequences of such a leak. It may make cheat development easier, but the truth is that code compilation / obfuscation is never going to prevent attackers from getting what they want; only make it more difficult. (See the bit about security being in "layers" down below).

Update: It's come to our attention that a small amount of internal item server / GC source files are included in this leak. This means that some of the code running on the TF2 item servers (as of late 2017) can be read by anyone. This does not grant anyone the ability to change the code running on the item servers; only see a historical copy.

While this is a concerning update to our understanding of the situation, it is not as bad as it may appear. The ability to see the code that the servers are running is not the same as the ability to change the code.

In order to utilize this code to exploit the item servers, one would still need to do so by "tricking" the item server, by sending it carefully-constructed messages. For example, one might send it an "open this crate" message which uses a scrap metal instead of a key to open the crate. However, the item servers will already be written to detect such issues (in this example, ensuring that the "key" is really a key). The messaging format and protocols used to communicate with the item server were already document and understood before this leak, and although the leak may help find ways to "trick" the item server, there does not seem to be a major hole left open by the discovery of these files.

We currently see no way these item server source files could directly result in an attack on the ingame economy.

The original unedited article is below for posterity. The contents of the "Trading / Steam API" section are outdated, but the other sections remain accurate.

Some stuff's happening today, and it may have made you say, "Hey! What's going on?"

Let's keep it simple: a 2017 version of TF2's CLIENT source code has leaked. We'll explain what this means shortly; for now, let's go over how this impacts you.

Is it safe to play TF2?

Short answer: While there is no evidence to support the existence of new security holes, out of an abundance of caution, perhaps hold off.

So this is a bit difficult to unpack. You may have seen a video purporting to demonstrate an "RCE" exploit (Remote Code Execution; basically, the most dangerous kind of security hole) in TF2 recently; there is no reason to believe this video is real, and there are issues present that make it apparent that it is not a legitimate exploit.

However, when the full source code of an application is leaked, it makes it significantly easier to find unpatched vulnerabilities in its code (because you have the code). There is no doubt that malicious actors are searching through it at this very moment, trying to find security vulnerabilities. On the other hand, Valve has an active bug bounty program, which means there is profit in finding any such bugs and reporting them to Valve.

Additionally, this source code leak is not completely "new". It is, more accurately, a public leak of a private leak, and it's impossible to know exactly who has already seen this code or for how long. This means that vulnerabilities present in the code could have already been found and abused prior to this leak. This is unfortunately cause for more concern, not less.

Security is a difficult thing to discuss because there are so many unknowns. Any exploits found in this code will have been present in the code long before being discovered, and very well could have been discovered by someone who smartly kept themselves off the radar. Likewise, a security hole has to be discovered before it is dangerous; and if it isn't discovered, it isn't abused. A good rule of thumb is that if it's software, it can be hacked. This doesn't mean you can't make it harder, though.

Security works best in layers. Assume any of the layers can fail, but won't most of the time. Enough layers makes a specific victim too costly to attack, but not necessarily impossible. Anyways, think of your own decisions as a layer in that security. You could set up a Virtual Machine and play TF2 inside it, insulating your main OS from malware due to a possible RCE in TF2's client. However, it might be smarter to just... wait for a little bit. If there are any pressing security concerns, they will be patched in short order.

To sum it up, there is no evidence of a NEW security hole. However, finding security holes has been made easier, and right now, a lot of people -- good and bad -- are trying to do just that. Out of an abundance of caution, perhaps don't play TF2 for a short while until more concrete information is available. It shouldn't be too long.

Is Trading Safe? / The Steam API was leaked too!

Short Answer: Trading is fine. The Steam API was not "leaked".

The code that was leaked -- while proprietary, and definitely not something a company wants leaked -- was the TF2 client code; the code for the application you run when you play TF2. This is entirely separate from the TF2 Item Server code. The Item Server code is still completely private, and runs on Valve's private servers.

If the TF2 client were able to mess with the trading / item servers, that would already have been exploited (and has, in the past). However, these are complicated exploits that involve "tricking" the item server, and are quite rare. The TF2 client code does not help an attacker figure out how to trick the TF2 item server. They are entirely separate.

As for the Steam API "leak", there is no evidence to suggest that anything beyond client library files were leaked; these are entirely different from the internal code for the Steam API. This is, frankly, harmless. Even if the internal API source was leaked, it honestly would not likely lead to any vulnerabilities.

But what is this? Like, what is going on, you feel me? What are we talking about?

Boy am I glad I made you ask! Here's what happened:

Basically, someone involved on a Sourcemodder team (modder teams, oh boy) had access to a private leak of the TF2 source code from 2017 (that's this!). They got kicked off the modder team, and in retaliation, publicly leaked the private leak they had access to.

But what got leaked? The source code for the TF2 client. ("Source" here does not mean "Source" the game engine; "source code" is a programming term, not a Valve one). This is all the code files that get turned into your favorite game. However, there's some stuff missing.

For example, the game might run fine, but it has to connect to the item server. This is entirely different code, which was not leaked, and which was never intended to run on your computer. It's special code, reserved for Valve's super special servers. The game client doesn't have the ability to mess with the item server code; it can only politely request things from the item server. The item server -- fully under Valve's control -- can simply refuse dumb requests like "give me a golden pan." This is why trading is not impacted by this leak.

The "item server" (a misnomer, as I am about to explain) also handles matchmaking. It actually handles pretty much every other "live service" aspect of the game (parties, time-limited events, etc). So you really need this item server for a lot of what makes TF2 "TF2". You might be able to make changes to the game code and distribute your "own version" of TF2, but it would still need to connect to the actual TF2 backend servers (unless you made your own, which is a big task).

Should I spend money at Marketplace.tf?

Good God, yes. Unless you don't want to. We're cool. There's a pandemic. It aight.