While Bugs aren’t uncommon in games, it’s only every so often that bug is so detrimental to the platform that It might scare off users from the game. In this case, as the CSGO Steam invite hack could cause crippling issues for users globally, it’s no wonder that concerned eyebrows have been raised.
Valve’s Source Engine has been around for a long time, from Team Fortress 2 to Half Life 2, dozens of games under the Source Engine umbrella are played by gamers from around the world, and one researcher has discovered a exploit in the engine that could become detrimental to anyone who’s playing.
Found in 2019, Ruhr-Universität Bochum Infosec student Florian discovered the bug, and posted it onto HackerOne, the bug hunting website in which Valve will pay bounties for bugs caught by regular users.
After being verified by moderators, Florian heard little about the bug, and according to his Twitter thread about the issue, he didn’t receive his bounty until 6 months ago. He lamented that even though valve seemingly fixed the issue in their source titles, CSGO still remains the one game where this exploit is still achievable. “I think it’s reasonable to say that Valve had plenty of time to fix this issue.”
As you may know, @the_secret_club recently posted videos about Source Engine games RCE. I was also ignored by Valve for a year. Here’s the demonstration of my report. RCE can be achieved by connecting to a malicious server, then the chain will be completed when game is restarted. pic.twitter.com/oVGSjpYWTz
— Bien Pham (@bienpnn) April 12, 2021
While it may be fixed in other titles, the one title that matters is CSGO, being a popular and ongoing esport this puts players in danger if they ever decide to click an invite from a player they aren’t friends with. Given the fact that the exploit gives the hacker control of the victims machine, not only will the personal data of the player be ripe for the taking, but the hacker can then impersonate the victim to spread the exploit to other computers like a worm, forcing their way through multiple PCs and infecting anyone who falls for the trick that the last player fell for.
Florian has mentioned that despite finding the exploit years ago, Valve has yet to give Florian an actual response in whether or not they’ve fixed this exploit.
However, this is not the first time that such an exploit has been swept under the rug, as another security researcher Bien Pham showcases a similar bug on Twitter, in which the player connects to a malicious server which implements a similar exploit that doesn’t trigger until the victim restarts the game.
Despite being reached out to by many people reporting on this issue, Valve has yet to respond to any of them, many hope that Valve will finally say something if the situation is made public enough by the community. For now, be careful to stay away from suspicious invites to CSGO.
Be the first to comment