A critical bug in Valve’s game engine has been demonstrated by a security researcher to allow hackers to take control of their victims’ computers. All the attacker needs to do is trick their victims into clicking a Steam invite link to play Counter Strike: Global Offensive (CS:GO).
Even more worryingly, the security researcher, known as “Florian” told Motherboard, said that the bug can be used to develop a worm-like exploit to infect other machines.
The vulnerability isn’t game-specific, but rather exists in the Source game engine that’s used by several popular games including CS:GO, Team Fortress 2, Dota 2, and Postal III among others.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Slow to respond
Florian said he brought the vulnerability to Valve’s attention as part of the company’s bug bounty program back in 2019. And while the bug has been rendered ineffective on virtually all Source-powered games, it still mysteriously exists in CS:GO.
“I am honestly very disappointed because they straight up ignored me most of the time,” said Florian.
While Valve didn’t return Motherboard’s request for comments, Carl Schou, founder of a not-for-profit group of security researchers called Secret Club, pointed out two other vulnerabilities that Valve failed to acknowledge even after being informed several months ago.
“Valve’s response has been a complete disappointment right from the start,” Schou told Motherboard, adding that slow response times have been the hallmark of the group’s past interactions with the popular gaming publisher and distributor.