In this pandemic, we all have been playing multiplayer games with our friends such as Valorant, Overwatch and what not. You may have known about Counter Strike: Global Offensive, right? A game which has been loved by most veteran gamers now can be used to hack your computer using an exploit.
Counter Strike: Global Offensive is a game launched by Valve and Hidden Path Entertainment in the year 2012 which is a continuation of the series Counter Strike. Counter Strike, originally a mod developed for Half Life, turned out to be one of the biggest Esports title ever. This series expands upon the team-based action gameplay which can be intense and fun at the same time.
Recently news has surfaced about an exploit which can be used to hack your computer and gain all your sensitive info using this game’s system. This exploit or bug was originally discovered by The Secret Club, a white hat hacking group, which found that the hackers can exploit the bug by using Steam’s invite system. The information regarding this exploit was brought to Valve’s attention two years ago, but the game development company, owned by Gabe Newell, seems to have not acknowledged this issue so far as the bug existing still today. Finally, on April 10, 2021, information about this exploit was made public by The Secret Club alleging that Valve had prevented them to disclose the info publicly.
The Secret Club revealed a lot of info about an exploit which directly affects all the games based on the game engine Source by Valve. They had originally found this bug 2 years ago and had reported it to Valve. Since the date, this information was kept unrevealed to the public giving Valve time to study and fix this bug.
Unfortunately, Valve has decided to still not attend the issue and has completely ignored the bug leaving millions of player’s computers vulnerable. This exploit works till this date gathering sensitive credentials of the players. The big issue is that Valve had kept The Secret Club from disclosing this information for a long period of time even so that this was a matter that had to be addressed at hands. This exploit does not end to the extends of CS:GO, but still works in the other Source engine-based games.
How does this exploit work?
It is triggered by sending a Steam invite, whether it is for a game or an item trade. Once the player accepts the game invite, the hacker can use a remote code execution flaw and get hold of the access to the player’s computer. This access includes local data on the system and running or closing any program.
This is one of the ways the hackers can use this exploit. Another way for the hackers is to host a community server or alter an existing custom map uploaded to the Steam Workshop. After joining the community server or the map, the hacker sends all the players joined, the previously used remote code execution flaw, and gains access the same way.
After the process of sending the execution, a pre-written script can be automatically activated in the player’s computer and steal all the sensitive info and credentials present on the system, infect the hard drives of the player with virus or malware and the passwords and skins of the player easily.
How to be protected from this exploit?
We have talked enough about the how it works, right? Now we need to know how to protect ourselves from the hackers from stealing our valuable skins and credentials. In the time being, there are not really any steps being taken by Valve against these hackers. So, the only way to protect us from this exploit is to ignore and not accept the Steam invites or trades that seem to be fishy and from strangers.
The ‘remote code execution’ is only triggered when the malicious Steam invite, sent by the hackers, has been accepted. Declining the invite will not give hackers any access to the system, leaving you safe from the attacks. In the case of community servers, you should prevent joining any unknown servers or the servers that have not been joined by you previously. Sticking to the trustable community server and workshop is the best way to protect yourselves from this exploit.
As per a statement on the National Vulnerability Database (NVD), “Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.”
Incoming friend requests from other players can be accepted, declined, or ignored, by the users because the exploit cannot be delivered vis a vis ‘Steam Friend Request’.
Overview
In my opinion, this issue was to big to be kept hidden from the public by Valve. It was a very dishonest move by such a big American company not addressing a very critical issue for 500+ days. This should be resolved as soon as possible by Valve. This is a severe dilemma for the people who own ‘Source engine-based’ games via Steam, installed on their systems.
The ‘Source based’ community has been led down by Valve to a great extent due to the negligence of the company. Valve has not officially commented on this matter yet, and for the time being, users should be wary when booting up CS:GO or any other ‘Source engine-based games’ by Valve. Let us know your thoughts about this dilemma in the comments.
Editors Note: Valve has since released a patch for CS:GO, but the vulnerability remains in other games. We will update this article as other games are sufficiently patched and secure.