Hackers could take control of victims’ computers just by tricking them into clicking on a Steam invite to play Counter Strike: Global Offensive, according to a bug report seen by Motherboard.
A bug in the game engine used in Counter Strike: Global Offensive could be exploited by hackers to take full control of a target’s machine. A security researcher alerted Valve about the bug in June of 2019. Valve is the maker of Source Engine, which is used by CS:GO, Team Fortress 2, and several other games.
The researcher, who goes by the name Florian, said that while that the bug has been fixed in some games that use the Source engine, it is still present in CS:GO, and he demonstrated it in a call with Motherboard.
Florian’s correspondence with Valve occurred on HackerOne, the bug bounty platform used by the company to get reports about vulnerabilities. Valve admitted that it was being slow to respond, even though it classified the bug as “critical” in the thread with the researchers, which Motherboard reviewed.
“I am honestly very disappointed because they straight up ignored me most of the time,” Florian said in an online chat.
A Valve spokesperson did not respond to a request for comment.
Florian said that he was able to code an exploit to take advantage of the bug that works 80 percent of the time, according to his estimate. Another researcher also found the same bug months after Florian reported it, and their report was merged with the original one.
Do you reverse engineer and research vulnerabilities in video games? Or do you work on anti-cheat engines? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at [email protected], or email lore[email protected]
According to him, hackers could use this bug and make it automatically spread, almost as a worm.
“Once you infected somebody this person can be weaponized in order to infect their friends and so on,” Florian said.
The good news is that Valve appears to have patched the bug in other games other than CS:GO.
“We can’t say in how many games it used to work and if/when things got patched,” Florian said. “When we posted that this exploit affects every source engine game one should understand this as ‘every game might theoretically be affected as it is a bug in the engine and not something game specific.'”
On Twitter, Carl Schou, the founder of Secret Club, a not-for-profit group of security researchers, highlighted two other vulnerabilities that he said were reported to Valve by members of his group.
“Valve’s response has been a complete disappointment right from the start. Our experience has always been slow response times, with little to no patches being pushed to production,” he told Motherboard in an online chat. “They truly don’t care about the security and integrity of their games.”
This is not the first time Valve has been slow to respond and fix reported vulnerabilities. In 2018, Motherboard reported that a security researcher found a bug in Steam that allowed hackers to take over victims’ computers—a bug that had been present for 10 years. In 2019, Valve banned a security researcher from its bug bounty program, prompting him to publish the exploit publicly.
Subscribe to our cybersecurity podcast, CYBER.