In brief: If you receive a Steam invite link to play Counter-Strike: Global Offensive (CS:GO), be wary: clicking on it could allow a hacker to take over your computer. If that wasn’t bad enough, the bug could be made to spread to other devices, just like a worm.
According to a Motherboard report, the bug is found in Valve’s Source Engine used by CS:GO, Dota 2, Team Fortress 2, and others. A security researcher who goes by the name of Florian said he reported the vulnerability to Valve via the bounty program in 2019, but while it has been fixed in almost all of the games, it’s still present in CS:GO.
“Florian said that he was able to code an exploit to take advantage of the bug that works 80 percent of the time,” writes the publication. He also warned of hackers using it to infect other machines.
“Once you infected somebody this person can be weaponized in order to infect their friends and so on,” the researcher explained.
Valve, it seems, has a reputation for not being quick off the mark when it comes to addressing reported bugs. Carl Schou, the founder of the not-for-profit Secret Club group of security researchers, noted that Valve failed to acknowledge two other vulnerabilities reported by members of the group.
Third times a charm; @the_secret_club member mev showcases their remote code execution 0-day for CS:GO. This has been reported to Valve 5 months ago with no response from Valve. pic.twitter.com/Jw8icRPh3j
— secret club (@the_secret_club) April 10, 2021
“Valve’s response has been a complete disappointment right from the start. Our experience has always been slow response times, with little to no patches being pushed to production,” he told Motherboard. “They truly don’t care about the security and integrity of their games.”