Counter-Strike: Global Offensive (CS: GO) suffered from a bug that facilitated the invasion of hackers through the chat of Steam. The security breach was first reported two years ago by user Florian, one of the members of the nonprofit group of security researchers at the Secret Club. Last Saturday (17), Florian revealed on Twitter that Valve had fixed the error in the April update. CS: GO.
Counter-Strike: Global Offensive (Image: Press Release / Valve)
The video showing the bug in action went viral on Twitter
On April 10, the Secret Club published a video on Twitter in which Florian showed the failure of CS: GO in action. In short, to enter a PC the hacker just needed to send a game invitation via Steam chat to the user who wanted to attack. When the request was confirmed, the attacker gained full access to the victim’s computer.
The recording soon went viral on the social network among the community of Counter-Strike, who started to ask for the developer’s attention. Before that, Florian had already reported the error two years ago through HackerOne – Valve’s program in which people are paid for finding bugs in games. The company, however, only sent the first response after a year and a half of waiting, according to the researcher at the Secret Club.
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUX
– secret club (@the_secret_club) April 10, 2021
In an interview with BleepingComputer, one of the leaders of the Secret Club, Carl Schou, explained that the security breach was serious, as it could expose personal data of any user among the 27 million players of Counter-Strike: Global Offensive.
CS: GO is not the only Valve game with security flaws
O CS: GOhowever, it was not the only game with vulnerabilities on Steam. This specific bug occurred due to a security breach in the Source graphics engine, developed by Valve. This means that the error affected not only Counter-Strike, as also Half-Life 2, Garry’s Mod, Team Fortress 2, Left 4 Dead, Portal 2, or any other game created with the engine.
In the first response sent to Florian, six months ago, Valve claimed to have fixed the error in one of the company’s games. However, the researcher did not want to reveal which one had been corrected. According to him, if the title name were released, hackers could find the patch among the game’s files and remove protection.
Valve takes a long time to respond to bug reports
On Twitter, the Secret Club shared two other user posts that also identified more security holes in CS: GO. According to the group, these bugs were also reported to Valve more than five months ago, but the company has not yet responded to messages.
“On the topic of our previous thread, we have @brymko @cffsmith @scannell_simon showing off their remote zero-day code executions on CS: GO. This was sent to Valve months ago, but the company never paid for the report or acknowledged the security breach, ”said the group in one of the tweets.
On the topic of our previous thread, we have @brymko @cffsmith @scannell_simon showcasing their remote code execution 0-day for CS: GO. This has been reported to Valve months ago, but they have neither paid them nor acknowledged the exploit. pic.twitter.com/yGUJTZZzrO
– secret club (@the_secret_club) April 10, 2021
“The third is for good; member of the Secret Club, mev shows his remote execution of zero-day codes in CS: GO. This bug was reported to Valve five months ago, but with no response from the company, ”posted the Secret Club.
Third times a charm; @the_secret_club member mev showcases their remote code execution 0-day for CS: GO. This has been reported to Valve 5 months ago with no response from Valve. pic.twitter.com/Jw8icRPh3j
– secret club (@the_secret_club) April 10, 2021
With information: Eurogamer, Vice.