@@firemaana6440 thats just a generic scam message meant to scare people, valve hasnt support granted any items in ages n doesnt care abt the old duped items, the bug cheesmo was talking abt was when a guy found how to give literally any item based on ID n gave himself the mvm heavy bots minigun the deflector n a previous 1 i dont know the details of but i believe the finder was given a sunbeams maxs head
As the CS:GO UI is built with web technologies, this is basically just about breaking the css layout with obscure unicode characters, just like you often see it on the web. It's unlikely that there are actual exploits possible with this beyond breaking the layout of your client UI.
New World has this problem right now you're able to inject html into your chat and fuck with UI and even crash the game with bad data injected in item descriptions.
@@Luna0wl no thats a completely different problem, new world just didnt sanitize their chat box and the game took it at face value, easy fix. cs:go and tf2 are written this way, manipulating game memory is alot worse than what happend on new world
I tested and with this script there might be some potential to break the UI even more but it's so unpredictable that doesn't worth the nametags' price just to test everything out ingame. But no actual exploits really, just some weird visual stuff.
I was wondering why this hadn't been uploaded yet. That shit was so cool on steam. Cheesmo has an insane profile. I really hope I win one of those p250s.
In dota 2 the Chinese skin community had figured out a bunch of exploits, the most basic of which was to simply put html links to pictures in description tags for items, rendering them ingame if you clicked on the item. This was a welcome addition to the dota skin community until valve stopped it. The explained that anytime someone loaded the skin in game (as in if they got matched in a game lobby or even just spectating a live game through the in game client) the person that had access to the server the html picture was on could just get the IP address of anyone that loaded it (because they are technically downloading the picture from the server to view it). It was a silly and short time where tags were abused and I hope it never happens to CS.
he's not a fuckin hacker lmfao, dude literally told you that he got sent a github link after asking a bunch of people. you people are so gullible it's insane
10:24 actually no, they gave him the item back (obviously untradable) - it's name of the gun is "Deflector" - its the normal minigun, but it has ability to shoot rockets out of the sky. Not that much overpowered, so there wasnt much harm giving it to a single person.
Do you have proof he still has it? He gave himself one but from everything I’ve heard it was removed and they simply gave him another custom unusual like they did to other people. Even the wiki says it was taken away from him
He no longer has it after they patched it out and removed it. Also the deflection ability would be overpowered, as it deflects all projectiles and would negate ALOT of burst damage and make projectile classes extremely useless. It was only meant for a bot AI to use.
@@QuackZack " Also the deflection ability would be overpowered, as it deflects all projectiles and would negate ALOT of burst damage and make projectile classes extremely useless" It doesn't matter, there are literally "VALVE" weapons, with insane stats, that are in the accounts of valve employees. One player having a weapon that's a little bit stronger doesn't matter that much
@@wojtekpolska1013 Complete difference between a Valve employee that rarely joins or play TF2 to goof around with an OP weapon compared to a regular player that could literally join every casual match and ruin it if he wanted it.
@@QuackZack no lol, there are hundreds of casual servers, and giving heavy the ability to shoot rockets is not even that gamebreaking. he still dies to spies, snipers, sentries, pyros, etc. its not overpowered, literally only 1 person in the world has that item, and its not even that OP.
the guy who gave himself the minigun (it was specil in that it could delete proectiles like rockets and pipes) was the guy who got the unusual cheaters lement (halo looking hat) that the guy was talking obout
I couldn’t imagine a corporation as big as Valve not being protected by SQL injection, but maybe communicating through a script instead of intended text boxes could be a vulnerability valve didn’t consider. Very interesting.
id think this would enable cross-site scripting rather than sql injections. sql injections would require the name to be executed by steam servers which is unlikely if they properly sanitize their db. cross-site scripting means putting executable code somewhere where its executed by a client accessing the text. this might happen in the context of a person viewing your inventory in a web browser or viewing your gun in game or maybe in the "kill screen".
That's what i was thinking as well, rather than outdated exploits that don't even work on some web servers, I would rather think an XSS injection could be more common here, however theres possibilities that the UI most likely doesn't have the actual JS engine even enabled/loaded, which would make it impossible, and second to that, I doubt they would store steam cookies in the html for the UI.
Sorry but this is driving me nuts and here is an explanation in laymans terms. The client communicates with the steam servers through something called an API (Application Programming Interface) which is the same thing the trading bots and this script uses. The API should have the same name restrictions as the client but some times A) the programmer forgets or B) At the time of making it they only expected the API to be public which means they didn't need to validate the name to make sure to weird characters are in it. You wouldn't really have to worry about SQL injection because most modern database API's only let you execute one command per line so SELECT `items` FROM inventory; would work but something like SELECT ``DELETE items from INVENTORY` items` FROM inventory wouldn't as multiple commands are being used. Another reason you wouldn't have to worry about it is the fact that the database API's also do something called escaping which just means it removes the extra ` that allows you to execute multiple commands.
You could just run a drop table instead. I'm sure they have backups of their backups, but Valve needs apparently needs to be pushed to do something about their game which is very clearly broken.
@@mihalis1010 The strings are obviously escaped. You really think their public API has oversight as crazy as this? Not saying it's impossible but definitely not that trivial.
So basically this is just a glitch you can do with the csgo API from my understanding, i doubt name tags could actually execute any commands through it unless valve messed up the code big time, which is possible just look up the crate depression lol
@@durax-0xf maybe not an API but per se but you can communicate with the server directly bypassing any sort of client side validation (in this case character restrictions).
i probably wouldnt report a free unboxing bug, atleast not for the time no one else knows about it. I wouldnt sell my items i unbox but just for the unboxing experience it would be hella fun i think
If a CS:GO Nametag ever gets exploited through SQL Injection because someone forgot to escape a parameter, I will eat a broom. And PowerShell isn't just a new cmd.exe, it's an entire programming language that can interact with .NET Framework.
I really hope that doesn't involve scripting. Or stuff that's borderline bannable. Although if the method turns out to be too easy, people might come with game breaking bugs that will cause Volvo to step in.
Maybe it uses an HTTPS proxy that intercepts data going from you to Valve, for example when you rename an item. The outgoing data with the text you entered could be intercepted and changed and then sent out, possibly circumventing the in game / in app text restrictions.
@@romanianfps ????? are you mentally stable yourself? the suggestion this guy made could probably work, although it's much easier to just run some custom panorama js in-game to do it imo
@@eclipse632 Why the fuck would a custom text use a fucking http proxy dude? Its literally just special characters that haven't been blocked yet by valve 🤣🤣🤣
@@romanianfps the reason something like that is needed is because nametags do not allow you to use certain special characters (e.g paragraph separator) in nametags legitimately, personally I have no experience in doing something like that so never tried it as it wasn't first thing to come to my mind when I did it myself, but yes that would probably work, and something like that is necessary
a little bit of cyber security info an injection typically runs code on the server, this is where all the economy breaking bugs will be something scarier than that would be an ACE exploit, allowing code to be run on the computer of anyone who views the skin. one minute, you're checking out cool skins, the next minute your computer is being used to mine some form of crypto
I love that so much, I can still remember when I clapped a nametag on my c4 and thought I was super unique haha "Explosive Toaster" will always have a special place in my heart xd
the story with the colored name was a bug that allowed to use the name code for the vote command comfimation, it was up for a few year but go patched now you can't even use the original command anymore the text was this #SFUI_vote_failed
They do still work in CS2, but the UI is a bit smaller by default, so the vertical nametags aren't as tall unless you set UI scale to 110%. Also, when having multiple weapons with vertical nametags, in csgo the nametags of the upper weapons overlap onto weapons below them, but in CS2 the nametags seem to just get cutoff / stop being rendered where it hits the gun below it. (I only have two weapons with these nametags right now so I couldn't test that much, it probably cuts off even more if you have vertical knife+2 vertical weapons) Realistically though, if Valve ever wanted to fix this, they easily could without even messing with anyone's inventory. They just need to stop rendering the weird newline character (it's not a normal newline it's this character: ), and they could also similarly enforce a client-side character limit to prevent the 21 character nametags. They could basically just re-enforce whatever limitations they want on nametags as they're loaded or rendered - remove any banned characters and limit the length. (I hope they don't but admittedly it is pretty ridiculous that this is possible lol, imagine if someone used these at a major, bit of a bad look for cs/valve)
0:40 i would argue that.. the UI is just exactly showing what the nametag is and grabs as much space as it needs to show it. Imo; it knows exactly what to do with the line-seperators, because they are showed exactly how a line-seperated is supposed to be shown.
@@lahtin3n You obviously don't understand anything about game development or how QA works. First of all; QA doesn't test every case there possibly could theoretically be. It is and was never intended to use special characters which result in a line-break. Period. There was no need to test for it because it's a obvious bug that this was possible and no QA tester ever wastes time on intentionally producing a bug to test if the UI is still good. It doesn't make sense, it's a waste of time, nobody does it. They test the intended usecase and possible allowed combinations and that's it. Requesting QA to test every possible theoretical situation would mean days of testing just for the nametag and creating a huge set of data to test them. Also UI designers say "hei, this is designed for a name without any line-breaks". That's it. They don't implement it, they don't test it, they have no other part but saying that line-breaks are not intended in the design. So no, UI designers are not connected to this "problem" at all. And despite all that they still implemented it in a way that it doesn't completly break if there are a few line-breaks. He obviously use a bug to completly escalate with them and it technically still didn't break. So... if you ever want to critize QA, Designer, Developers, whoever again.. use your brain to understand what you are criticizing and use proper arguments.
In Dota2 back in the day, they can dub "Key" which are used as a currency in Dota2, i think Valve banned China server or something because they exploited a lot of dubs. ITS cRAZY
also reported some stuff to different developers and the reaction from them can be rly different... had developers paying for findings and had some which were rly angry cuz of it... as example: I dont report to Bohemia anymore
Back in the day a buddy of mine showed me an exploit that you could use any cosmetic combo so you could combine hats,coats etc. in tf2 if you modified a windows file profile picture wouldnt load anymore but that was the only downside. I deinstalled it after a couple days but it was a cool lottle exploit.
reminds me of the time i put a nametag on the bomb. i got a couple of questionis on how i did that, but it was so long ago now i don't even remember anymore. probably a tutorial on youtube though somewhere if you look it up
@@aslanxdd not even kidding, the char representation is one of the First things you learn at least in C programming, and people think this is sort of hack, you cant do nothing with It. Saw people saying you can manipulate memory with this, I dont know How you can do that, because for me It doesnt even make Sense at ALL. You can manipulate Memory If there's a array in scanf for example , but for this to happen in VALVE is rare, Very rare, probably wont happen at all, this is like beginner error
I don't think this guy knows what he's talking about. I believe he is what we call a "script kiddie." He's as much of a hacker as the people spinbotting in casual lobbies. He even said he got this from someone else's github. He seems to know nothing about injection or how client-server authority works. I do this kind of thing for a living, it's pretty easy to spot when someone doesn't really know what they are talking about or are bolding lying, IE when he was talking about his steam profile. I was able to recreate the bugs he used entirely inside the steam client, but in the original video he claimed he had to use some script to do it.
About the other video, just used code in his browser's console. He doesnt code it, just finds it. I don't see him bragging or claiming that he invented/coded these 'exploits' so I don't really get where you're coming from. As for the name tags that's very simple and I'm positive there are online guides for renaming stuff with weird characters. Again, he didn't claim he invented the exploit. No reason to criticize him. In my opinion his profile is a pretty cool showcase of these exploits. Seeing them all on one profile is nice and creative, I don't see a reason to complain.
You are right about the "script kiddie" thing. For renaming the items he uses someone else's script which he barely understands. On stream he also stated that he looked at the script's source codes but he doesn't know if it's safe because he doesn't really understand it. This glitch isn't rare because it's hard to do. It's rare because people who have the knowledge doesn't care about it. Anyone with a little bit of programming knowledge (especially py) can remake this one in half an hour max.
I dont think it harms game play like cheaters do, its more of a customisation if any thing, it dont really brake your game just moves your gun icon up higher ingame. Things like rocket jump scrips or edgy auto binds are worst but still aloud.
wait i was in a game with someone who had a name like this on his ak a couple days ago. The script must have leaked through the community or I actually met one of the few people who actually have it
tf2 has an insane history of items being "cheated" into existence and i am eternally thankful cheesmo brought it up. Great vid!
even people without items get messages like 'Man.. I repoprted you for Duping' and it's never any other reason
Same with CSGO. That's why you can't get your skins back after being scammed anymore.
@@firemaana6440 thats just a generic scam message meant to scare people, valve hasnt support granted any items in ages n doesnt care abt the old duped items, the bug cheesmo was talking abt was when a guy found how to give literally any item based on ID n gave himself the mvm heavy bots minigun the deflector n a previous 1 i dont know the details of but i believe the finder was given a sunbeams maxs head
@@nya69 Don't worry, I was just joking
duped shovel?????
„If you kill someone…“
„…in Game?“
„Yeah I hope ingame“
Hahahahaha
didn't even notice the joke until i saw the comment, that's hilarious
cuz twitch rules are dumb ...
@@Trolju no lmao, its a joke. nothing about twitch rules
@@wojtekpolska1013 no he had to make the comment “in game” just to reinsure twitch
Xd
"i just put name tags on items" lmao fuckin golden
That's literally all he does. Not even a scipt kiddie. Ohne acting like he's some bigbrain hackerman is the cringiest shit ever.
@@donkitphp awesome but who asked
@@kwaygz I mean you replied lmao
@@donkitphp you have no idea
@@kwaygz why are you a leet haxor that could teach me all of the programming languages to become a l33t h4x0r too? Lmao
As the CS:GO UI is built with web technologies, this is basically just about breaking the css layout with obscure unicode characters, just like you often see it on the web. It's unlikely that there are actual exploits possible with this beyond breaking the layout of your client UI.
unless it can somehow activate escape characters, that can affect more than the UI.
New World has this problem right now you're able to inject html into your chat and fuck with UI and even crash the game with bad data injected in item descriptions.
web technologies lmao
@@Luna0wl no thats a completely different problem, new world just didnt sanitize their chat box and the game took it at face value, easy fix. cs:go and tf2 are written this way, manipulating game memory is alot worse than what happend on new world
I tested and with this script there might be some potential to break the UI even more but it's so unpredictable that doesn't worth the nametags' price just to test everything out ingame. But no actual exploits really, just some weird visual stuff.
I was wondering why this hadn't been uploaded yet. That shit was so cool on steam. Cheesmo has an insane profile. I really hope I win one of those p250s.
i already have a p250 pretty much like that :D
@@MaxxerOfPepsi with the name like that?
@@904 yeah its not the same name as the one in the video but yeah it makes the hud go wonky
@@MaxxerOfPepsi Damn that's cool af. If I had one like that, I might just start using the p250 lol
@@SrikarMaddula i mean shit id trade it if you got anything good to offer me lol
In dota 2 the Chinese skin community had figured out a bunch of exploits, the most basic of which was to simply put html links to pictures in description tags for items, rendering them ingame if you clicked on the item. This was a welcome addition to the dota skin community until valve stopped it. The explained that anytime someone loaded the skin in game (as in if they got matched in a game lobby or even just spectating a live game through the in game client) the person that had access to the server the html picture was on could just get the IP address of anyone that loaded it (because they are technically downloading the picture from the server to view it). It was a silly and short time where tags were abused and I hope it never happens to CS.
Boy do I have news for you about something that happens in the votekick menu
@@pondbear1433 fr?
kinda cool how he's open about alot of this stuff, most hacker nerds i have encountered are edgy like title says
not a hacker, script kiddie
he said it himself he just used a script
@Anonymous User yeah thats y he corrected him, Cheesmo isnt a hacker. Scripter is different little boy
@@durax-0xf not a skid. he knows hes not a hacker and doesnt try to make it sound crazier than it is.
@@Anna-senpai Yea, One is the one hyping him up to be a h4ckerman - he seems like a good dude
he's not a fuckin hacker lmfao, dude literally told you that he got sent a github link after asking a bunch of people. you people are so gullible it's insane
lmao the arabic translates to "in the name of god, the most kind, the most forgiving"
yeah
Kind of funny. Back then it was a meme when you found out, now it seriously seems like a sign.
@@Reichstaubenminister A sign? tf are you talking about?
@@ThisUsernameSystemF-ckingSucks I don't remember.
@@ThisUsernameSystemF-ckingSucks A sign of dementia
Got into a wingman game with this guy and got to have a look at a few of his weapons, fun stuff
I played with Brad Pitt also wingman and he said he is going to make actor from me, so funny these things happen right.
@@asthmakid1858 Yeah, I remember meeting Zeus yesterday. Friendly guy
@@mattacer wow,that's crazy all this stuff happened to people in this comment section
Guys iam actually gay
@@herrmanncs ehh and?..
4:17 "what if you like can put commands through a nametag" that question aged really well, atleast there was only the player name exploit for now
I would love if someone made a channel like this, documenting expoits and explaining the history of bugs etc
Enough with the clickbait, Cheesmo isn't a hacker lol
He pretty much just does shit offline, don’t think he’s accomplished anything alone.
yeah just playing around with a script and throwing around knowledge doesn't make you a hacker, heavily agree with you
hes not a hacker.. zzz its common u can even buy everywhere
ure hacker when u exploit the web online.. penetrate.. solved maths.. solved coding etc.. entering government sites.n
@xxxcept a hacker means you invade what is already there..
10:24 actually no, they gave him the item back (obviously untradable) - it's name of the gun is "Deflector" - its the normal minigun, but it has ability to shoot rockets out of the sky.
Not that much overpowered, so there wasnt much harm giving it to a single person.
Do you have proof he still has it? He gave himself one but from everything I’ve heard it was removed and they simply gave him another custom unusual like they did to other people. Even the wiki says it was taken away from him
He no longer has it after they patched it out and removed it. Also the deflection ability would be overpowered, as it deflects all projectiles and would negate ALOT of burst damage and make projectile classes extremely useless. It was only meant for a bot AI to use.
@@QuackZack " Also the deflection ability would be overpowered, as it deflects all projectiles and would negate ALOT of burst damage and make projectile classes extremely useless"
It doesn't matter, there are literally "VALVE" weapons, with insane stats, that are in the accounts of valve employees.
One player having a weapon that's a little bit stronger doesn't matter that much
@@wojtekpolska1013 Complete difference between a Valve employee that rarely joins or play TF2 to goof around with an OP weapon compared to a regular player that could literally join every casual match and ruin it if he wanted it.
@@QuackZack no lol, there are hundreds of casual servers, and giving heavy the ability to shoot rockets is not even that gamebreaking. he still dies to spies, snipers, sentries, pyros, etc.
its not overpowered, literally only 1 person in the world has that item, and its not even that OP.
Anyone remember the old SFUI Vote Passed nametags with color?
Yeah
yep
yeah my awp still has it
@@poopooman9658 can you still do that?
@@poopooman9658 yeah but the glitch does not work anymore, you only see the name of the command
7:02 "Back in the day, me and you baby" 💀💀
me and you baby?
This account was so edgy i edged all night all over the place and i only had 1:30 hours of sleep💀
same
Someone who doesn't know csgo would be confused. Like "Why the hell his mind blows up so much to just a interface location change?"
"so, if you kill someon-" "IN GAME RIGHT??" Bruh xD
the guy who gave himself the minigun (it was specil in that it could delete proectiles like rockets and pipes) was the guy who got the unusual cheaters lement (halo looking hat) that the guy was talking obout
ohnepixel predicted the votekick html exploit in this vid
This type of hacking that doesn't interfere with other players and it's strictly for cosmetic purposes like this I have no problems with.
this is the true meaning of hacker, not people who pay for aimbot and walls
I couldn’t imagine a corporation as big as Valve not being protected by SQL injection, but maybe communicating through a script instead of intended text boxes could be a vulnerability valve didn’t consider. Very interesting.
aged well
i was wondering if someone was gonna say this@@judfps
what happened@@Rusty49
@@Alex-bi8ob people were injecting malicious code through their name and in workshop maps
this guy just gets fascinated by so little things lol... every video if it isnt normal csgo "OMG HACKER PROFILE" lol.
Never report your bugs/glitches unless there is a bounty program. Devs rarely show appreciation for bug reporting
Some of yall were born to deep dive into this stuff. Its interesting
My SG used to be named "Are you sure you want to leave this online lobby?" from a label quit lobby text. It was patched out, very sad
Yeah sad times, kept the name tag on it as a reminder.
Not an edgy hacker or a skid, just a bored fella breaking stuff for fun
I'm best friends with someone that uses this script. Everyone is so utterly confused when they pick their guns up, it's really funny
Is he willing to share the script? :P
finna need that bru
id think this would enable cross-site scripting rather than sql injections. sql injections would require the name to be executed by steam servers which is unlikely if they properly sanitize their db. cross-site scripting means putting executable code somewhere where its executed by a client accessing the text. this might happen in the context of a person viewing your inventory in a web browser or viewing your gun in game or maybe in the "kill screen".
I was about to write that👍🏼
That's what i was thinking as well, rather than outdated exploits that don't even work on some web servers, I would rather think an XSS injection could be more common here, however theres possibilities that the UI most likely doesn't have the actual JS engine even enabled/loaded, which would make it impossible, and second to that, I doubt they would store steam cookies in the html for the UI.
remember trillux getting banned for finding the zeus bug and only after big drama they unbanned him. Valve does not give a shit about their players.
he got banned from faceit not valve lol you cant get banned for using glitched that are already in the game
1:48 "in finland we kill people for fun" :DDDDD
Sorry but this is driving me nuts and here is an explanation in laymans terms.
The client communicates with the steam servers through something called an API (Application Programming Interface) which is the same thing the trading bots and this script uses.
The API should have the same name restrictions as the client but some times A) the programmer forgets or B) At the time of making it they only expected the API to be public which means they didn't need to validate the name to make sure to weird characters are in it.
You wouldn't really have to worry about SQL injection because most modern database API's only let you execute one command per line so SELECT `items` FROM inventory; would work but something like SELECT ``DELETE items from INVENTORY` items` FROM inventory wouldn't as multiple commands are being used. Another reason you wouldn't have to worry about it is the fact that the database API's also do something called escaping which just means it removes the extra ` that allows you to execute multiple commands.
You could just run a drop table instead. I'm sure they have backups of their backups, but Valve needs apparently needs to be pushed to do something about their game which is very clearly broken.
is it possible with DOTA 2 i want to try it
@@mihalis1010 The strings are obviously escaped. You really think their public API has oversight as crazy as this? Not saying it's impossible but definitely not that trivial.
So basically this is just a glitch you can do with the csgo API from my understanding, i doubt name tags could actually execute any commands through it unless valve messed up the code big time, which is possible just look up the crate depression lol
theres no csgo api afaik and you cant call nametag uses through web api
@@durax-0xf maybe not an API but per se but you can communicate with the server directly bypassing any sort of client side validation (in this case character restrictions).
i probably wouldnt report a free unboxing bug, atleast not for the time no one else knows about it. I wouldnt sell my items i unbox but just for the unboxing experience it would be hella fun i think
This is the kind of "hacker" I like
bro is literally some kid that found a github link, hacker is a crazy term for him lmfao
I still waiting for the moment when Ohne is drinking when suddenly he is surprised and spits on the screen xddd
These lootbear adds are crazy
Cheesmo is the calmest hacker I've ever seen
this aged well (cs2 name xxsl exploit)
guys a real chad, literally having the nuke codes to csgo and he chooses to mess with nametags only
"Nuke codes" lol
If a CS:GO Nametag ever gets exploited through SQL Injection because someone forgot to escape a parameter, I will eat a broom. And PowerShell isn't just a new cmd.exe, it's an entire programming language that can interact with .NET Framework.
nah fam powershell is just a blue cmd.exe
ik man insane
@@Oliverii No, it is not. Try to run a .ps1 script via cmd.exe.
@@Reichstaubenminister yeah i can
It seems to me that you just have skill issue fam 💀
I worked out another way to do this after the stream. I really believe there’s huge potential in these name tag bugs
how did you do it?
@@shipy490 magic
I really hope that doesn't involve scripting. Or stuff that's borderline bannable. Although if the method turns out to be too easy, people might come with game breaking bugs that will cause Volvo to step in.
@@SrikarMaddula it’s definitely not difficult but it’s also not bannable because you’re not interacting with vac secured servers
@@SrikarMaddula Volvo owns valve comfirmed
Maybe it uses an HTTPS proxy that intercepts data going from you to Valve, for example when you rename an item. The outgoing data with the text you entered could be intercepted and changed and then sent out, possibly circumventing the in game / in app text restrictions.
Lmao no... you need mental help
@@romanianfps ????? are you mentally stable yourself? the suggestion this guy made could probably work, although it's much easier to just run some custom panorama js in-game to do it imo
@@eclipse632 Why the fuck would a custom text use a fucking http proxy dude? Its literally just special characters that haven't been blocked yet by valve 🤣🤣🤣
@@romanianfps the reason something like that is needed is because nametags do not allow you to use certain special characters (e.g paragraph separator) in nametags legitimately, personally I have no experience in doing something like that so never tried it as it wasn't first thing to come to my mind when I did it myself, but yes that would probably work, and something like that is necessary
@@eclipse632 actually you and the other guy I right I just fully looked into it
IIRC the custom weapon that the guy spawned in was the "Deflector". Used by robots in MVM that could destroy pipes and rockets.
As someone in chat said he sounds like a rich kid who just bought the script
Anxiety bookmark Sadge. It feels like dying everynight.
a little bit of cyber security info
an injection typically runs code on the server, this is where all the economy breaking bugs will be
something scarier than that would be an ACE exploit, allowing code to be run on the computer of anyone who views the skin. one minute, you're checking out cool skins, the next minute your computer is being used to mine some form of crypto
I love that so much, I can still remember when I clapped a nametag on my c4 and thought I was super unique haha
"Explosive Toaster" will always have a special place in my heart xd
how do you get c4 to your inventory?
Haha i still got the russian calculator on my c4 :)
9/11 never forget is mine
that is so interesting
I found may be his old account? On steam, same glitches on profile, groups , but VAC banned
checks are made on client side, by talking to the API straight you can bypass the checks. Simple
Yes but how
theres no api for csgo and afaik you cant call a nametag use through the web api
4 seconds in and it's already obvious he's Finnish lol
hes swedish bro
the story with the colored name was a bug that allowed to use the name code for the vote command comfimation, it was up for a few year but go patched now you can't even use the original command anymore the text was this #SFUI_vote_failed
I wonder if these will still exist in CS2. (more than likely they will)
They do still work in CS2, but the UI is a bit smaller by default, so the vertical nametags aren't as tall unless you set UI scale to 110%. Also, when having multiple weapons with vertical nametags, in csgo the nametags of the upper weapons overlap onto weapons below them, but in CS2 the nametags seem to just get cutoff / stop being rendered where it hits the gun below it. (I only have two weapons with these nametags right now so I couldn't test that much, it probably cuts off even more if you have vertical knife+2 vertical weapons)
Realistically though, if Valve ever wanted to fix this, they easily could without even messing with anyone's inventory. They just need to stop rendering the weird newline character (it's not a normal newline it's this character: ), and they could also similarly enforce a client-side character limit to prevent the 21 character nametags. They could basically just re-enforce whatever limitations they want on nametags as they're loaded or rendered - remove any banned characters and limit the length. (I hope they don't but admittedly it is pretty ridiculous that this is possible lol, imagine if someone used these at a major, bit of a bad look for cs/valve)
"SQL injection" nice viewers
It's arbitrary code execution
its really simple, i also have a nametag with super long unicode and it stretches the ui. you just use cheat engine
bro is literally some kid that found a github link, hacker is a crazy term for him lmfao
Ladies and gentleman, in 2021 putting unicode symbols into csgo name tags is considered dirty hacking. Wow
the interesting part is with the LINE SEPARATORS which dont work with manual inputs
at least no one had made a csgo name tag inject rce out of this
This guy could be finnish.
A simple prevention would be to allow only normal characters
yeah valve has to be pretty lazy to allow this
they actually removed many symbols i used in previous names which im very say about :(
@@salsa221 sounds like valve.
@@cringer8107 yeah you used to be able to change color and stuff
0:40 i would argue that.. the UI is just exactly showing what the nametag is and grabs as much space as it needs to show it. Imo; it knows exactly what to do with the line-seperators, because they are showed exactly how a line-seperated is supposed to be shown.
There is no arguing that this is poor UI design and if a QA team would have noticed this, it would never have made it to a release.
@@lahtin3n You obviously don't understand anything about game development or how QA works. First of all; QA doesn't test every case there possibly could theoretically be. It is and was never intended to use special characters which result in a line-break. Period. There was no need to test for it because it's a obvious bug that this was possible and no QA tester ever wastes time on intentionally producing a bug to test if the UI is still good. It doesn't make sense, it's a waste of time, nobody does it. They test the intended usecase and possible allowed combinations and that's it. Requesting QA to test every possible theoretical situation would mean days of testing just for the nametag and creating a huge set of data to test them.
Also UI designers say "hei, this is designed for a name without any line-breaks". That's it. They don't implement it, they don't test it, they have no other part but saying that line-breaks are not intended in the design. So no, UI designers are not connected to this "problem" at all.
And despite all that they still implemented it in a way that it doesn't completly break if there are a few line-breaks. He obviously use a bug to completly escalate with them and it technically still didn't break. So... if you ever want to critize QA, Designer, Developers, whoever again.. use your brain to understand what you are criticizing and use proper arguments.
I love to see people who use scripts to get things who arent jack asses
you heard it dont note it
So "بسم الله الرحمان الرحيم" has become a Big Exploit in CS GO? Ok.
Fun fact doing this didint get me VAC banned.
@@ThemasterPink it being open source has nothing to do if u get vac banned or not, a cheat can be open source and get me banned.
Responded to the wrong pers lol
@@ThemasterPink lmao
You ment RCE (Remote Code Execution) not SQL Injection. Sql is just a database...
Need to ban the rat languages from the game.
Lol, it became so easy to do that every person could talk in discord with same inventory(
In Dota2 back in the day, they can dub "Key" which are used as a currency in Dota2,
i think Valve banned China server or something because they exploited a lot of dubs.
ITS cRAZY
I think on cs2 they will patch it, but there also will be some more bugs like this
U can still do it
hacker no, haxor yes
l
Idk, as a programmer this dude looks like the textbook definition of a script kiddie. And I mean literally...
i wonder if with burpsuite you could just capture a packet to rename the weapon and just insert illegal unicode characters there
also reported some stuff to different developers and the reaction from them can be rly different... had developers paying for findings and had some which were rly angry cuz of it... as example: I dont report to Bohemia anymore
???
what extensions is he using to see the float bar on every item?
I can expose an admin of TGP sharking me over $3500 in skins when I was new to trading
copy pastes premade script = hacker
Coding and hacking is mostly that
Rocket league gave players that found game breaking bugs a white hat car topper they’re worth a ton on money now only like 30 in existence
Back in the day a buddy of mine showed me an exploit that you could use any cosmetic combo so you could combine hats,coats etc. in tf2 if you modified a windows file profile picture wouldnt load anymore but that was the only downside. I deinstalled it after a couple days but it was a cool lottle exploit.
Valve customer support has been shit for the past few years
What are you using to display all that extra info on steam?
Imagine this guy will have burning gloves some day
reminds me of the time i put a nametag on the bomb. i got a couple of questionis on how i did that, but it was so long ago now i don't even remember anymore.
probably a tutorial on youtube though somewhere if you look it up
this was uploaded on my birthday :D
"you'll break ALL CS " LOL, he Just probably used something to exploit the chars unicode representation, this wont break the game at all.
Ohne doesn't really know how any of this works. He thinks this is all some kind of hacket shit haha
@@aslanxdd not even kidding, the char representation is one of the First things you learn at least in C programming, and people think this is sort of hack, you cant do nothing with It. Saw people saying you can manipulate memory with this, I dont know How you can do that, because for me It doesnt even make Sense at ALL. You can manipulate Memory If there's a array in scanf for example , but for this to happen in VALVE is rare, Very rare, probably wont happen at all, this is like beginner error
The most finnish accent I've ever heard
More sweden
The most finnish accent you'll ever hear is Hydraulic Press Channel's
sounds norwegian tbh, am swedish myself.
10 min of pure info
Cheesmo it's a legend to me. I changed my profile to look like his profile.
vc ta em todos os cortes possíveis cara
I don't think this guy knows what he's talking about. I believe he is what we call a "script kiddie." He's as much of a hacker as the people spinbotting in casual lobbies. He even said he got this from someone else's github. He seems to know nothing about injection or how client-server authority works. I do this kind of thing for a living, it's pretty easy to spot when someone doesn't really know what they are talking about or are bolding lying, IE when he was talking about his steam profile. I was able to recreate the bugs he used entirely inside the steam client, but in the original video he claimed he had to use some script to do it.
About the other video, just used code in his browser's console. He doesnt code it, just finds it. I don't see him bragging or claiming that he invented/coded these 'exploits' so I don't really get where you're coming from.
As for the name tags that's very simple and I'm positive there are online guides for renaming stuff with weird characters. Again, he didn't claim he invented the exploit. No reason to criticize him.
In my opinion his profile is a pretty cool showcase of these exploits. Seeing them all on one profile is nice and creative, I don't see a reason to complain.
Were you able to recreate the name tag thing?
@@TiSnDd fr im tryna do the same thing but i cant find nun abt it yet
You are right about the "script kiddie" thing. For renaming the items he uses someone else's script which he barely understands. On stream he also stated that he looked at the script's source codes but he doesn't know if it's safe because he doesn't really understand it.
This glitch isn't rare because it's hard to do. It's rare because people who have the knowledge doesn't care about it. Anyone with a little bit of programming knowledge (especially py) can remake this one in half an hour max.
I dont think it harms game play like cheaters do, its more of a customisation if any thing, it dont really brake your game just moves your gun icon up higher ingame. Things like rocket jump scrips or edgy auto binds are worst but still aloud.
Dude i am trying to sleep😂😂
I could patch this in 4 minutes... not really special.
wait i was in a game with someone who had a name like this on his ak a couple days ago. The script must have leaked through the community or I actually met one of the few people who actually have it
steam is so popular and seems so goddamn vulnerable.
what is this extencion ohnepixel is using for steam inventory?
Wonder how these look on CS2
Take a look at "Secret CSGO nametag exploits" and u got ur answer. This is easy af to do.
7:02 me and you baby we used to have fun
MY LEGENDARY "DROP *" HOWL IS STILL BEING TALKED ABOUT LETS GO :DDDDDDDDDD