Valve has been accused of preventing security researchers from publicly disclosing a remote code execution vulnerability that allegedly affects all games developed using the company’s widely renowned Source game engine (e.g., Half-Life 2, Counter-Strike: Global Offensive). What’s been reported thus far is that the flaw, which was originally reported two years ago but purportedly ignored by Valve, is primarily leveraged by attackers through Steam’s invite system. Secret Club, a not-for-profit reverse-engineering group, has tweeted a series of videos demonstrating that the vulnerability exists.
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUX
— secret club (@the_secret_club) April 10, 2021
On the topic of our previous thread, we have @brymko @cffsmith @scannell_simon showcasing their remote code execution 0-day for CS:GO. This has been reported to Valve months ago, but they have neither paid them nor acknowledged the exploit. pic.twitter.com/yGUJTZZzrO
— secret club (@the_secret_club) April 10, 2021
Third times a charm; @the_secret_club member mev showcases their remote code execution 0-day for CS:GO. This has been reported to Valve 5 months ago with no response from Valve. pic.twitter.com/Jw8icRPh3j
— secret club (@the_secret_club) April 10, 2021
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it.
Sources: Secret Club, r/pcgaming