A simple Steam invitation allows you to take control of a player’s PC remotely. This was discovered by security experts, members of a volunteer group. They alerted Valve, the editor of the 3D Source rendering engine, but the flaw is not fixed, and the hacked PC can then be used to infect other players.
A flaw in the engine of a video game allows hackers to take control of a PC remotely. This is what the members of the Secret Club cybersecurity group discovered, and it’s not new! In fact, they have been alerting Valve, the powerful editor of the Source engine, for two years now, and this concerns online games like Team Fortress 2 and Counter-Strike: Global Offensive.
Except that the editor lets the flaw continue, and now a simple Steam invitation allows you to exploit the flaw, and to execute code remotely to invite yourself into the player’s machine. The hacker gets “total control over the victim’s system, which can be used to steal passwords, bank information, etc.,” says one security expert.
A rift that spreads
To our Motherboard colleagues, he made a demonstration of the attack because the flaw is still active in Counter-Strike: GO. As he explains, if the hacker creates a server and sends invitations, all players connected to its server can be hacked! He found that in some games, the vulnerability had been corrected, but as long as it is present in Counter-Strike, it represents a danger.
“Once you’ve infected someone, that person can be armed to infect their friends and so on,” says this volunteer expert, and he compares this type of attack to a worm, so the damage can be exponential. On the Valve side, we classified this security breach as “critical”, without taking the time to publish a fix.