Valve fixes bug in CS: GO that allowed hackers to invade Steam | Games

Counter-Strike: Global Offensive (CS: GO) suffered from a bug that facilitated the invasion of hackers through the chat of Steam. The security breach was first reported two years ago by user Florian, one of the members of the nonprofit group of security researchers at the Secret Club. Last Saturday (17), Florian revealed on Twitter that Valve had fixed the error in the April update. CS: GO.

Counter-Strike: Global Offensive (Image: Press Release / Valve)

The video showing the bug in action went viral on Twitter

On April 10, the Secret Club published a video on Twitter in which Florian showed the failure of CS: GO in action. In short, to enter a PC the hacker just needed to send a game invitation via Steam chat to the user who wanted to attack. When the request was confirmed, the attacker gained full access to the victim’s computer.

The recording soon went viral on the social network among the community of Counter-Strike, who started to ask for the developer’s attention. Before that, Florian had already reported the error two years ago through HackerOne – Valve’s program in which people are paid for finding bugs in games. The company, however, only sent the first response after a year and a half of waiting, according to the researcher at the Secret Club.

In an interview with BleepingComputer, one of the leaders of the Secret Club, Carl Schou, explained that the security breach was serious, as it could expose personal data of any user among the 27 million players of Counter-Strike: Global Offensive.

CS: GO is not the only Valve game with security flaws

O CS: GOhowever, it was not the only game with vulnerabilities on Steam. This specific bug occurred due to a security breach in the Source graphics engine, developed by Valve. This means that the error affected not only Counter-Strike, as also Half-Life 2, Garry’s Mod, Team Fortress 2, Left 4 Dead, Portal 2, or any other game created with the engine.

In the first response sent to Florian, six months ago, Valve claimed to have fixed the error in one of the company’s games. However, the researcher did not want to reveal which one had been corrected. According to him, if the title name were released, hackers could find the patch among the game’s files and remove protection.

Valve takes a long time to respond to bug reports

On Twitter, the Secret Club shared two other user posts that also identified more security holes in CS: GO. According to the group, these bugs were also reported to Valve more than five months ago, but the company has not yet responded to messages.

“On the topic of our previous thread, we have @brymko @cffsmith @scannell_simon showing off their remote zero-day code executions on CS: GO. This was sent to Valve months ago, but the company never paid for the report or acknowledged the security breach, ”said the group in one of the tweets.

“The third is for good; member of the Secret Club, mev shows his remote execution of zero-day codes in CS: GO. This bug was reported to Valve five months ago, but with no response from the company, ”posted the Secret Club.

With information: Eurogamer, Vice.

Leave a Comment