A security researcher known on Twitter as Florian, discovered a critical failure in the Source Engine, the video game engine used by Valve's famous Counter Strike: Global Offensive, and other games such as Half-Life 2, Left 4 Dead, Team Fortress 2, etc.
Florian reported the bug to Valve through HackerOne two years ago, the rewards platform the company uses to obtain reports on vulnerabilities. However, according to what the researcher explained to Vice, even though Valve admitted it was a critical bug, they still haven't fixed it.
An exploit that works 80% of the time and can spread almost like a worm
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUX- secret club (@the_secret_club) April 10, 2021
The bug, which has been fixed in other games that use the Source engine, is still present in CS: GO, and can be exploited to take full control of the victim's computer via a simple Steam invitation to play the game.
Florian explains that he was able to create an exploit to take advantage of the bug and that it works 80% of the time according to his calculations. In addition to this, according to the hacker, it is possible to turn the exploit into a weapon, since once you infect someone, you can infect their friends and so on "almost like a worm".
We are talking about a game that is one of the heavyweights of Steam, a multiplayer that has reached almost 20 million simultaneous users and that at the moment it has a critical security hole that puts millions of players at risk.
Valve ignoring security researchers is not just specific to the secret club. Here we see Bien Pham demonstrate his Remote Code Execution exploit that has not been patched for over a year. https://t.co/5Ecz1Gw4Jx- secret club (@the_secret_club) April 12, 2021
Florian is part of The Secret Club, a nonprofit group dedicated to reverse engineering and software research. The group in question has been sharing on Twitter other bugs that its members have discovered in Valve software, and that have been ignored for more than a year.
Valve doesn't have the best track record in dealing with bugs and the researchers who report them
These types of problems are becoming more frequent with Valve. In fact, there have been multiple notable incidents in recent years. We have the famous exploit that put users at risk for 10 long years. Or, how in 2018 we learned of a masterful bug that allowed us to obtain the activation keys of any video game, which we never knew if it was exploited and at what level.
In 2019 there was a greater controversy when researchers discovered a vulnerability in Steam that allowed malware to run from our computer and affected all Windows users. The controversy occurred because after making the ruling public, Valve had the HackerOne researchers expelled because according to them "it did not fulfill the rules of the program".
Valve ended up admitting that it was a mistake to kick the investigator out, but he still got kicked out and was never contacted. With this new bug, The Secret Club wanted to make it clear that Valve ignoring security researchers is a pattern and not an isolated case.