tl;dr :rage1: CEVO client discloses account email, password, username, private messages and chat room conversations.

Good day CS:GO friends!

Reference: /r/globaloffensive post about ESEA’s password security from spring 2015.

I had a couple of the guys over this weekend to play some video games and of course CS:GO was on our list. I decided to download the CEVO client because of the cost of ESEA and our skill differences in matchmaking. I recalled the referenced Reddit post from this spring and decided to double check that CEVO would at least take the lessons learned from the attacks on ESEA and secure their users. I was wrong!

While the CEVO website has enabled HTTPS, the most important part of their business, the client, is verifying login details and more in plain ol’ HTTP. How does that work? Typically, whenever a client authenticates with a website or web based application generates an HTTP POST request. The HTTP POST request contains your account credentials (email address for CEVO, username for ESEA) and password. This is normal. The big difference here is that services like Google, Facebook, banks, .etc, use TLS (transport layer security) to encrypt the data between your computer and the server responsible for performing the authentication so no one else can see it; CEVO does not. Furthermore, all communication over the client happens over HTTP which means your private messages are also disclosed to whoever is listening.

So what?

Who cares? Are there plenty of nerds out there that can perform this wizardry? Yes.

With prize pools totaling over $150,000 USD, the CS:GO gambling economy, and the technical aptitude of a lot of users these days, it would be trivial to harvest professional players’ information from large CEVO events and use that information to DoS an entire event for fun and profit! Not to mention humiliating corporate sponsors or engaging in all sorts of griefing.

The proof is in the pudding, is it not? I made a script to harvest attempted logins live with some shell scripting and tcpdump. Here’s the script:

Example:

CEVO Script

If you’re not that savvy with Linux you could always use something like Fiddler or Wireshark to do the heavy lifting for you. Here’s what fiddler looks like:

Fiddler2 Output

Until this gets fixed I would exercise extreme caution when logging in via the CEVO client to play some games on a network that you do not trust.