Dota 2 analyst degaz from Spectral.gg reported the existence of a Chinese website that allowed access to confidential information regarding professional Dota 2 teams and player practices. Upon being notified, Valve acted swiftly to address the vulnerability stemming from MOBA API keys.
Original source’s spelling and punctuation preserved
During my brief vacation, I decided to pen a short piece about cheats, specifically those originating from China.
As some may recall, a significant scandal known as Rurugate erupted in 2017. Chinese teams LGD and EHOME were implicated in accessing scrimmages and private matches using an API key associated with Perfect World. While the potential access extended to broader actions like Steam account control, the core issue revolved around unauthorized data acquisition. More details can be found тут.
Regrettably, a similar situation has recently unfolded. I was informed of a website capable of displaying precise MMR values for players across all ranks, even down to single digits. Furthermore, this site exposed all match data, circumventing privacy settings even for low MMR closed profiles. Notably, the site’s creator has past affiliations with Keen, also known as EHOME.
In response, a collaborative effort, a “pseudo-consortium,” was formed with trusted and knowledgeable individuals within the Dota community, including Boskey, Leamare, sikle, NoraD, Noxville, casual, and a few anonymous contributors. After examining various technical possibilities, we concluded that another API key leak was the most probable cause. Consequently, a joint letter was drafted and sent to Valve, outlining the situation and expressing concerns about potential threats to competitive integrity in esports.
Valve addressed the issue promptly, detecting the compromised key and effectively shutting down access to the method a few days ago. This incident serves as a crucial reminder for developers to regularly audit the status and usage of their API keys. While direct evidence of cheat utilization remains elusive, precluding accusations against specific teams, this situation amplifies existing concerns about the precarious state of the regional Dota 2 scene. Consider these implications.
Back in 2016, Pan RuRu Jie, the head of the esports organization LGD Gaming, was обвиняли of leveraging the Dota 2 API key to procure private training data from rival teams. Allegations suggested that she had been supplying her teams with intelligence on competitors since 2013, creating an unfair competitive advantage.
अमित धवन