StarCraft 2 Custom Games list freeze - technical explanation [2024/03] · GitHub
UPDATE 29-03-2024: Bug described below was addressed in 5.0.13.92028 released on 26th March. However not long since this event, a new exploit is now being used in similar manner - publishing malformed map, then hosting such map publicly, will trigger a game client crash.
This new variant is harmless - cannot be exploited to distribute malware or anything of this sort. More info about it on the SC2 Forum.
The sad part is that it requires an engine-level fix, or a server-side validation of published maps. Not something we - as a community without access to the code - can help in anyway, it's up to Blizzard now.
I'm making this post in response to recently discovered bug in the SC2 that has been actively used within the last week(s). There's a lot of miss-information surrounding it, some failed assumptions etc. I'll attempt to shred some light - for users and Blizzard.
It abuses a flaw in the Text Tags / Format Tags (something ala bbcode/mini-html but specific to SC2 engine). By embedding the <img path="//example.org/resource> within the name of published map file they trigger a remote request.
