A bug in CS: GO allows a hacker to take full control of your PC with just an invitation to play on Steam



A security researcher known on Twitter as Florian, discovered a critical failure in the Source Engine, the video game engine used by Valve's famous Counter Strike: Global Offensive, and other games such as Half-Life 2, Left 4 Dead, Team Fortress 2, etc.



Florian reported the bug to Valve through HackerOne two years ago, the rewards platform the company uses to obtain reports on vulnerabilities. However, according to what the researcher explained to Vice, even though Valve admitted it was a critical bug, they still haven't fixed it.



An exploit that works 80% of the time and can spread almost like a worm




The bug, which has been fixed in other games that use the Source engine, is still present in CS: GO, and can be exploited to take full control of the victim's computer via a simple Steam invitation to play the game.



Florian explains that he was able to create an exploit to take advantage of the bug and that it works 80% of the time according to his calculations. In addition to this, according to the hacker, it is possible to turn the exploit into a weapon, since once you infect someone, you can infect their friends and so on "almost like a worm".







History and evolution of Counter Strike, the game that has been one of the benchmark FPS for more than 20 years





We are talking about a game that is one of the heavyweights of Steam, a multiplayer that has reached almost 20 million simultaneous users and that at the moment it has a critical security hole that puts millions of players at risk.




Florian is part of The Secret Club, a nonprofit group dedicated to reverse engineering and software research. The group in question has been sharing on Twitter other bugs that its members have discovered in Valve software, and that have been ignored for more than a year.




Valve doesn't have the best track record in dealing with bugs and the researchers who report them




These types of problems are becoming more frequent with Valve. In fact, there have been multiple notable incidents in recent years. We have the famous exploit that put users at risk for 10 long years. Or, how in 2018 we learned of a masterful bug that allowed us to obtain the activation keys of any video game, which we never knew if it was exploited and at what level.



In 2019 there was a greater controversy when researchers discovered a vulnerability in Steam that allowed malware to run from our computer and affected all Windows users. The controversy occurred because after making the ruling public, Valve had the HackerOne researchers expelled because according to them "it did not fulfill the rules of the program".



Valve ended up admitting that it was a mistake to kick the investigator out, but he still got kicked out and was never contacted. With this new bug, The Secret Club wanted to make it clear that Valve ignoring security researchers is a pattern and not an isolated case.