Counter-Strike: Global Offensive or CS:GO, one of Valve’s most popular games, has been around for nearly a decade now. However, as popular as the game is, the developers have reportedly not bothered to fix a security flaw that allows a hacker to take control of a victim player’s PC, for over a year.
According to a report by BleepingComputer, an ethical hacking collective called the Secret Club identified a serious security flaw with the game which allowed an attacker to misuse the Steam service’s game invite mechanism. The flaw reportedly exists in the ‘Source’ engine, which was created by Valve and used in some of its popular games such as Half Life, and CS:GO. The group also published a demonstration of the exploit on their YouTube channel.
The report says that Florian a student and member of the Secret Club, reported the vulnerability to Valve back in 2019, via the company’s bug bounty program. While the company reportedly paid the bounty, it is yet to fix the flaw in the game’s engine, which means a few other games that run on the Source engine are also affected, with a few exceptions. The bug works by exploiting a remote code execution flaw in the Source engine, to take control of the victim’s computer.
Interestingly, the game was updated on March 31, but the flaw still existed when the report was published, which also means that the researchers cannot yet disclose the vulnerability to the public, as quite a few games could be affected without a fix from Valve. With millions of users playing the game and considering that it is widely used in esports competitions, it is quite surprising that the company has taken this long to fix such a serious security flaw.