Valve Has A Massive Loophole For Hackers
Playing a video game with hackers is irritating enough. Watching someone clip through walls while landing impossible shots can make you want to turn your PC off and walk away — if you don't smash your keyboard to bits first. However, a new exploit revealed by white hat hackers on Twitter could be even more devastating than taking an L in your favorite online game. If nothing else, it should definitely leave you iffy about playing any Valve games in the near future.
On April 10, a group called Secret Club released video of a hack that uses "remote code execution" in Source Engine games. It works by using Steam's game invite system, enabling a hacker to send an invite, have the recipient click a banner to start the game, and then run code on the recipient's PC. In the example shown, the exploit is used for something far less nefarious; it starts the Calculator app in Windows. You can imagine how this hack could be used for far darker deeds, though. If someone with malicious intent were to install a keylogger or a remote desktop server, the situation could get very bad very quickly.
That all sounds terrible enough. The real kicker, however, is that this exploit has apparently been around for quite a while, and Valve hasn't done anything about it. According to Secret Club, someone in the group found this hack and reported it two years ago. Fast forward to the present day, and in Counter-Strike: Global Offensive, at least, it still works. Valve hasn't patched it, which means anyone playing that game — and potentially any other Source Engine game — is vulnerable.
For the record, it does seem as though Valve knows about the hack. As Secret Club put it, Valve is not allowing the group to make it public, presumably so instructions on how to activate it don't fall into the wrong hands. Still, one could argue that two years is more than enough time for Valve to get its arms around this issue. Every second that ticks by, after all, is another where someone playing CS:GO could potentially have their PC compromised by a bad actor.
If you're someone who plays Source games on Steam, this is definitely something you'll want to keep an eye on until it's fixed. Keep an eye on who is sending you invites — especially to CS:GO — and don't be hesitant to disconnect if you suspect something is fishy. Hopefully Valve gets this taken care of soon. In the meantime, you'll have to watch your own back.