There is a highly downloaded Dota 2 AI Bot Script on the Workshop collecting chat data + IP addresses to a domain commonly used for malware and phishing. (Not as bad as it sounds, but it could be worse!)
Home / Games / Dota 2 / There is a highly downloaded Dota 2 AI Bot Script on the Workshop collecting chat data + IP addresses to a domain commonly used for malware and phishing. (Not as bad as it sounds, but it could be worse!)
I'm not naming the AI as this post is meant to highlight possible security issues with some lua functions that people could use for malicious purposes.
I found an old post recommending a workshop bot that was actually good. I installed it, and it was probably one of the better coded bots out there to the point where I could comfortably play it with friends, which I did. During said friendly match, the newly installed bots were actually making fun of plays we made in Mandarin. My friend's response was posting a part of the Tiananmen Square Copypasta as a joke and much to our surprise, both bots responded back with "天安门上太阳升", which translates to "The sun rises on Tiananmen Square." which legitimately scared the shit out of us. We laughed it off later saying that they probably programmed it in because people kept posting it in the steam comments because people are assholes. In good fun, we started posting anti-CCP stuff to it and seeing what it posted back. It was pretty wild and I was curious if there were more responses that we missed.
But when I went code diving to look for the phrases we used and I found nothing. I did find a file full of phrases which could be triggered by the bot but nothing like that was there, which was pretty interesting. I dove further it was sending POST requests to some server to get lines of dialogue from some chatbot on some server. Seems relatively harmless enough as I bet some workshop gamemodes and bot scripts use it to send data about the game to improve the performance of bots, and the address didn't seem suspicious… that is until I looked up the domain used and the specifics of a POST request.
The domain used is .top which if you do a quick wikipedia search for, you can find that MalwareBytes and Snort declared that it was so commonly used for phishing and malware, they had to block the entirety of the .top domain. I was curious to see what particular data was sent so I modified the source code to actually print to console what it sends when you talk, as seen in this image. The information being sent (in order of left to right) is:
The message that was said in chat
The "operation" type, usually being message.
General information about the message, such as the name of the AI.
A "uuid" which is generated on the server itself and is consistently the same across sessions. I legitimately don't know how this value is generated as resetting my IP does not change the value of it. It could be the real world UUID, which would make sense for this instance, but I'm not sure.
The "gametime" which is just the time since the game has run.
Not shown: Typical header information you can get via a post request, such as your IP address and browser/service used to send the request.
Conclusion 1: The apocalypse is upon us. There is a workshop addon that is phishing IP addresses and what you say during your dota 2 bot games and selling it to Mark Zuckerburg and the ghost of Steve Jobs. Nothing is sacred any more.
Conclusion 2: A man made a dota 2 workshop mod and instead of giving out their API key for the chatbot service, they had to buy a very cheap .top domain that scammers typically use (hence the cheapness) to accept POST requests for the chatbot feature to as well as collect data about the performance of their bots, which is actually optional and disabled by default. The creepy responses to anti-CCP terms are a result of the service that he is using and not something he chose to put in the game. None of this is in the description and gives off terrible vibes, resulting in a loser with low MMR typing this up on a Friday Night.
Edit: If a mod wants me to verify these claims so I'm not pulling them out of my ass, I can walk them through the code that does all of this.