'%20x='0'%20y='0'%20height='100%25'%20width='100%25'%20%0A%20%20%20%20%20%20%20%20%20%20xlink%3Ahref='data:image/jpg;base64,/9j/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcUFhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wgARCAAHAAoDASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAABAf/2gAIAQEAAAAAihf/xAAUAQEAAAAAAAAAAAAAAAAAAAAE/9oACAECEAAAAAf/xAAUAQEAAAAAAAAAAAAAAAAAAAAF/9oACAEDEAAAAGv/xAAhEAACAgECBwAAAAAAAAAAAAABAgMEABExEhMhQUJhcf/aAAgBAQABPwCW/wAK3oLUNl70cjLzo7JAV9fLXfqDt3JxrSAkG9cX0sjgD4A2f//EABcRAAMBAAAAAAAAAAAAAAAAAAABEkH/2gAIAQIBAT8AlYf/xAAYEQEAAwEAAAAAAAAAAAAAAAACAAEEA//aAAgBAwEBPwDFoS40lP/Z'%3E%3C/image%3E%3C/svg%3E)
A new vulnerability related to CS:GO has come to light, as The Secret Club, a not-for-profit reverse-engineering group, tweeted about a security flaw in CS:GO, which hackers can use to run programs on a user’s system.
This potentially means hackers can steal skins and passwords and inject malware into a CS:GO player’s system using the flaw, which is technically called a remote code execution flaw.
Two years ago, The Secret Club members discovered this vulnerability in Valve’s game and let Valve know about it through a bug-bounty platform called HackerOne.
Valve is a customer of HackerOne, which provides cybersecurity solutions to many more big companies, like Uber, Goldman Sachs, and Nintendo, to name a few.
Hackers can exploit CS:GO's critical security flaw to breach user's systems
From what is implied from different reputed sources, the ethical hackers are under a non-disclosure agreement with the HackerOne platform, which deters them from disclosing the vulnerability to the public.
As can be made out of the videos in the tweets of the Secret Club, hackers can use Steam invites to access a user’s system utilizing a remote code execution flaw that affects all source engine games, which includes CS:GO, Titanfall 1, Titanfall 2, Apex Legends, etc.
This is one of the first vulnerabilities that the Secret Club reported, and this was two years ago. To be precise, it was Florian from the Secret Club, and needless to say, this is still to be fixed from the side of Valve.
In a second tweet on the thread, the Secret club showcased another instance of this vulnerability. A hacker can run anything they want on a user’s system using CS:GO's remote code execution flaw.
The demonstration showed that they ran a calculator on a hacked system after accessing it through the CS:GO lobby.
In the third and final tweet of the thread, the Secret Club revealed another security flaw in CS:GO, which was reported five months ago to Valve and is yet to be fixed.
Here, if a hacker hosts a community server on CS:GO, and a user joins it, the hacker can send remote code executions through everyone in the lobby, so they would be able to run a script to steal the users’ passwords, skins, or even upload malware on their system.
These are all zero-day vulnerabilities. In layman’s terms, it means it is a computer-software vulnerability unknown to those who should be interested in its mitigation, which in this case is Valve.
This was recognized by the Anti-Cheat Police Department Twitter group who has been active in the past years regarding cheating and hacking problems in games. Anti-Cheat PD stated on this issue that:
“In simple terms, it is no longer safe to play @CSGO at all if you care about your PC or personal Data because then forget it @valvesoftware sense of security is non-existent just like their anti-cheat, it is time to invest into securing your services and getting an anti-cheat”
Overall, Valve’s negligence to this critical issue of their users' cybersecurity is problematic, to say the least.
However, it would be interesting to see what they do about it now that public attention has been brought to the Secret Club and Anti-Cheat Police Department issue.
