Source Engine exploits could let hackers remotely access players' PCs

HomeNews

Source Engine exploits could let hackers remotely access players' PCsValve have allegedly known about the issue for years, but have yet to fix it

Valve have allegedly known about the issue for years, but have yet to fix it

A man holds a gaudy AK-47 in a Counter-Strike: Global Offensive screenshot.

Hack-hunting group Secret Club have revealed multiple exploits affecting Source Engine games likeCS:GO, which could allow hackers to steal player data via Steam invites and community servers. They claim they reported one of these exploits to Valve two years ago, but not only are the company yet to patch it, but they allegedly prevented Secret Club from publicly disclosing the information too.Secret Clubare a not-for-profit reverse engineering group who’ve found a number of exploits with Valve’s software, which they explain in a series of postson Twitter. Each of these exploits are remote code execution flaws, which Secret Club told me via email gives a hacker “full control over the victim’s system, which can be used to steal passwords, banking information, and more.“Below they show how the exploit can be activated through Steam invites.Two years ago, secret club member@floesen_reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it.pic.twitter.com/0FWRvEVuUX— secret club (@the_secret_club)April 10, 2021To see this content please enable targeting cookies.Manage cookie settingsTwo more posts (hereandhere) show a type of the remote execution exploit working in CS:GO. This is done in the game itself, rather than through Steam. Secret Club claim this one was reported to Valve “months ago”, but they allegedly haven’t acknowledged the issue.Remote code execution is shown being used slightly differentlyin Team Fortress 2, where hackers can trigger the flaw while hosting a community server. Once players are in the server, hackers can send these remote code executions to everyone inside it, and get access to personal data, passwords, and all those things you don’t want hackers getting hold of. Scary stuff.Valve have yet to make any sort of statement about these exploits. I’ve contacted them for comment, and will update this article if I receive a response.

Secret Clubare a not-for-profit reverse engineering group who’ve found a number of exploits with Valve’s software, which they explain in a series of postson Twitter. Each of these exploits are remote code execution flaws, which Secret Club told me via email gives a hacker “full control over the victim’s system, which can be used to steal passwords, banking information, and more.”

Below they show how the exploit can be activated through Steam invites.

Two years ago, secret club member@floesen_reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it.pic.twitter.com/0FWRvEVuUX— secret club (@the_secret_club)April 10, 2021

Two more posts (hereandhere) show a type of the remote execution exploit working in CS:GO. This is done in the game itself, rather than through Steam. Secret Club claim this one was reported to Valve “months ago”, but they allegedly haven’t acknowledged the issue.

Remote code execution is shown being used slightly differentlyin Team Fortress 2, where hackers can trigger the flaw while hosting a community server. Once players are in the server, hackers can send these remote code executions to everyone inside it, and get access to personal data, passwords, and all those things you don’t want hackers getting hold of. Scary stuff.

Valve have yet to make any sort of statement about these exploits. I’ve contacted them for comment, and will update this article if I receive a response.