A new vulnerability related to CS:GO has come to light, as The Secret Club, a not-for-profit reverse-engineering group, tweeted about a security flaw in CS:GO, which hackers can use to run programs on a user’s system. This potentially means hackers can steal skins and passwords and inject malware into a CS:GO player’s system using the flaw, which is technically called a remote code execution flaw.Two years ago, The Secret Club members discovered this vulnerability in Valve’s game and let Valve know about it through a bug-bounty platform called HackerOne. Valve is a customer of HackerOne, which provides cybersecurity solutions to many more big companies, like Uber, Goldman Sachs, and Nintendo, to name a few.in simple terms, it is no longer safe to play @CSGO at all if you care about your PC or personal Data because then forget it @valvesoftware sense of security is none existent just like their anti-cheat, it is time to invest into securing your services and getting an anti-cheat https://t.co/qDUTKMWGCn— Anti-Cheat Police Department 🕵️ (@AntiCheatPD) April 10, 2021Hackers can exploit CS:GO's critical security flaw to breach user's systemsFrom what is implied from different reputed sources, the ethical hackers are under a non-disclosure agreement with the HackerOne platform, which deters them from disclosing the vulnerability to the public.As can be made out of the videos in the tweets of the Secret Club, hackers can use Steam invites to access a user’s system utilizing a remote code execution flaw that affects all source engine games, which includes CS:GO, Titanfall 1, Titanfall 2, Apex Legends, etc. This is one of the first vulnerabilities that the Secret Club reported, and this was two years ago. To be precise, it was Florian from the Secret Club, and needless to say, this is still to be fixed from the side of Valve.Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUX— secret club (@the_secret_club) April 10, 2021In a second tweet on the thread, the Secret club showcased another instance of this vulnerability. A hacker can run anything they want on a user’s system using CS:GO's remote code execution flaw. The demonstration showed that they ran a calculator on a hacked system after accessing it through the CS:GO lobby.On the topic of our previous thread, we have @brymko @cffsmith @scannell_simon showcasing their remote code execution 0-day for CS:GO. This has been reported to Valve months ago, but they have neither paid them nor acknowledged the exploit. pic.twitter.com/yGUJTZZzrO— secret club (@the_secret_club) April 10, 2021In the third and final tweet of the thread, the Secret Club revealed another security flaw in CS:GO, which was reported five months ago to Valve and is yet to be fixed. Here, if a hacker hosts a community server on CS:GO, and a user joins it, the hacker can send remote code executions through everyone in the lobby, so they would be able to run a script to steal the users’ passwords, skins, or even upload malware on their system.Third times a charm; @the_secret_club member mev showcases their remote code execution 0-day for CS:GO. This has been reported to Valve 5 months ago with no response from Valve. pic.twitter.com/Jw8icRPh3j— secret club (@the_secret_club) April 10, 2021These are all zero-day vulnerabilities. In layman’s terms, it means it is a computer-software vulnerability unknown to those who should be interested in its mitigation, which in this case is Valve.This was recognized by the Anti-Cheat Police Department Twitter group who has been active in the past years regarding cheating and hacking problems in games. Anti-Cheat PD stated on this issue that:“In simple terms, it is no longer safe to play @CSGO at all if you care about your PC or personal Data because then forget it @valvesoftware sense of security is non-existent just like their anti-cheat, it is time to invest into securing your services and getting an anti-cheat”Overall, Valve’s negligence to this critical issue of their users' cybersecurity is problematic, to say the least. However, it would be interesting to see what they do about it now that public attention has been brought to the Secret Club and Anti-Cheat Police Department issue.