Two years ago, a reverse-engineering group called The Secret Club discovered an exploit that would allow hackers to easily steal Counter-Strike: Global Offensive (CSGO) passwords. The wildly popular shooter game was developed by Hidden Path Entertainment and Valve, the latter which has apparently known about the issue and for some reason has still not made any effort to fix it.
“Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it,” the group wrote in a Saturday post on Twitter.
The Secret Club has claimed that it informed Valve on this issue 5 months ago, with other users also mentioning that Valve has been notified of other bugs and received no response or seen any action from the company that they have even attempted to remedy the issues. In this case, the exploit allows a hacker to obtain the information of a user by utilizing a flaw that can be found in all Source engine games, CSGO included.
The hack, which is implemented in Steam’s invite system, makes it possible for the hacker to obtain information from anyone on the platform who happened to accept the invite in question. From there to hosting community servers and sending remote code executions to running scripts in order to steal user passwords and even infect hard drives with malware, is just one step.
CSGO is no novice to such exploit reports. perhaps one of the more notable involved a Counter-Strike player by the name of AndroidL. The user shared on Reddit how it managed to ban over 3.000 hackers by creating several ‘multihacks’ that would presumably bestow illegitimate powers upon the players who used them. Unfortunately for the attempted cheaters, the 3 fake “multihacks” actually ensured that a VAC ban.