Valve's Really Terrible Security Hole Is No More

Two years after it was initially reported, Valve has finally fixed a security exploit in Counter-Strike: Global Offensive that would allow hackers to remotely take over a PC using a Steam invite. 

As explained last week on Twitter by Secret Club, a reverse-engineering team that finds these kinds of exploits for companies, this particular exploit would seemingly allow for hackers to access someone's PC in any game running on Source Engine. While there are multiple games that run on Source Engine, Secret Club was only able to confirm this exploit in CS:GO. 

Advertisement

Although Secret Club only publicly shared the exploit last week, the group claimed to have discovered and reported it to Valve two years ago. According to Secret Club, Valve prevented the group from sharing the exploit publicly. Not only that, but it appears that this security flaw was not patched until very recently.

Now, Secret Club member Florian (@Floesen_ on Twitter) has shared that Valve has finally fixed the exploit in CS:GO and has allowed the group to share the technical details, which have been posted on Secret Club's website

In an interview with Vice prior to the bug's fix, Florian said, "I am honestly very disappointed because they straight up ignored me most of the time." Florian went on to say that while Valve asks for assistance for exploits via the bug bounty platform HackerOne, the gaming giant can be extremely slow to respond to posts, even when Valve itself marks these alerts as critical.

Advertisement

Florian was able to replicate the exploit with an 80 percent success rate, they told Vice. Florian said that the bug could be made to spread automatically, attaching itself to any invites the exploited person sent out. 

Secret Club has had issues with Valve responding to bug reports in a timely fashion in the past. In two other tweets from by the organization, Secret Club noted that the exploits the group found had been shared with Valve months prior with no response. Secret Club founder Carl Schou told Vice that he believes Valve "truly don't care about the security and integrity of their games." Valve previously made headlines in 2019 for banning a researcher from the company's bug bounty program after they reported a Steam exploit.

In other Valve news, the company continues to dominate the PC gaming space with its popular Steam platform, despite the best efforts of Epic Games to give it some competition.

Recommended

Advertisement