Researchers Find Bug in CS:GO That Could Allow Hackers Hijack Your Computer

Last Updated: May 2, 2021

With the increasing cyberattacks worldwide, one would think that companies are paying more attention to their security infrastructure. Apparently, that is not the case with Valve Corporation. Multiple security researchers discovered a bug in Valve’s Counter-Strike: Global Offensive (CS:GO) game that could allow malicious entities to take over a user’s computer. One of the researchers who first discovered this bug reported it in 2019, but Valve ignored the report until a recent public outcry. In this article, we will be talking about the situation surrounding this security bug. 

What is Counter-Strike: Global Offensive (CS:GO)?

Counter-Strike is a multiplayer first-person shooter video game series where two teams compete against each other. Each unit comprises five players and needs to complete specific objectives to win. One group has the role of Terrorists (Ts) looking to commit an act of terror, while the other group has the role of Counter-Terrorists (CTs). Like most first-shooter games, the game rewards players with an in-game currency they can spend on weapons and other things. There are different modes with different objectives and characteristics. 

Initially released on Windows OS in 2000, Counter-Strike has grown to be one of the most prominent first-person shooter games in history. It is available on macOS, Windows, Linux, PS3, and Xbox360. The Counter-Strike series has four main games: Counter-Strike, Condition Zero, Source, and Global Offensive. While there have been spin-offs, these four series are what most people have played over the years. 

The most recent release is Global Offensive which Valve developed and released on August 21, 2012. About 11 million people play it on Valve’s Steam platform monthly. Since its inception, Counter-Strike has joined several competitive tournaments, including the Cyberathlete Professional League, World Cyber Games, and Electronic Sports World Cup. Valve hosts the most prestigious Counter-Strike tournament and calls it “Counter-Strike: Global Offensive Major Championships.” 

Researchers Find Bug in CS:GO

A white-hat hacker group known as The Secret Club found a new vulnerability in the Counter-Strike: Global Offensive game that gives a hacker the ability to take over your computing system if you click on an invite to play the game on Steam. By using Steam’s invite system, hackers can exploit the bug and steal personal data from anyone that clicks on the invite link through a remote code execution (RCE). A member of The Secret Club discovered the bug in Source, a 3D game engine that Valve developed. There are several games that use the Source engine, including Counter-Strike: Global Offensive. However, most games that use the Source engine no longer have the bug. Unfortunately, Counter-Strike: Global Offensive players will be petrified to know that this bug still exists in the game. 

A member of The Secret Club named Florian (@floesen_ on Twitter) initially reported the bug to Valve two years ago (2019), but the Valve team did nothing to patch it. Florian, a student researcher, explained that he expressed his concerns about the remote code execution flaw to Valve through HackerOne. HackerOne is a bug bounty platform that hackers can use to reach out to companies like Valve if they discover bugs or vulnerabilities. 

Florian disclosed that despite flagging the bug as critical, the Valve team made no effort to patch it and was slow in responding to threads about the bug. It is inconceivable that a company with the resources and clout that Valve has will not take the subject of a security breach rather seriously. It seems like that is the trend with Valve, as The Secret Club revealed on Twitter that Valve did the same with two other vulnerabilities that members of the team reported. 

Valve Pays Bounty But Refuses To Fix The Bug

It is no longer news that Florian reported the RCE bug, and Valve didn’t fix it. What is shocking is that Valve acknowledged Florian’s report about six months ago and paid the bounty but still didn’t fix the vulnerability. He said the last time he heard from Valve was six months ago when they paid him the bounty through HackerOne. Valve even assured him it was working on fixing the vulnerability as it has previously fixed something similar in a game using the Source engine. 

The student researcher explained he confirmed that Valve indeed fixed that game. Florian did not reveal which game Valve fixed and explained why in a statement. “We intentionally did not mention that because we do not want people to search for the patch in the game binaries as this would greatly reduce the effort to rebuild the exploit for all the other unpatched games.” We, however, do not understand why Valve decided to ignore CS:GO’s vulnerability for about two years. 

Due to Valve’s HackerOne policy that prevents bug bounty hunters from reporting exploits, Florian has not released a detailed report on the bug. Other bug bounty programs on HackerOne usually follow a policy that gives researchers permission to disclose vulnerabilities if the company does not fix them after a specified period (usually around 90 or 180 days). Valve, on the other hand, has no such policy. 

Other Researchers Confirm Valve Ignored Reports On The Bug

Other researchers have confirmed that the CS:GO bug exists, and that Valve has been ignoring reports on it. Carl Schou, a top member of The Secret Club, explained that bad actors could use the CS:GO bug to steal sensitive data, including financial information and other credentials. At least three other researchers claim that Valve ignored their reports. They have posted different videos showing how the remote code execution flaw works when a user accepts an invite to a malicious community server.

Brymko (@brymko on Twitter), Carl Smith (@cffsmith on Twitter), and Simon Scannell (scannell_simon) all have videos on YouTube demonstrating the CS:GO RCE flaw. After posting his video demonstration of the exploit on Twitter, another researcher explained how he also reported the bug, but Valve ignored his report for over a year. Bien Pham (@bienpnn on Twitter), a software engineer, says he reported the bug to Valve on April 2, 2020, and the company ignored it. 

Valve Finally Fixes the Bug

On April 17, 2021, Florian (@floesen_ on Twitter) posted this on Twitter: “Good news! Valve fixed my recent exploit and gave me permissions to disclose details. That being said, I am working on a detailed technical write-up which I am going to release soon. Stay tuned!” While this is great news, Valve’s negligence shows it doesn’t care about protecting its users’ personal information or the integrity of its games. 

On its Twitter account, The Secret Club has reported a few other bugs that Valve has not fixed. They include a community server bug on Team Fortress 2 and two other CS:GO RCE bugs. Would we need another public outcry before Valve fixes these bugs? 

Valve’s History of Ignoring Bugs

In August 2019, Vasily Kravets, a security researcher, publicly released a zero-day exploit in Valve’s Steam platform after Valve banned him from its HackerOne bug bounty program. He discovered the flaw in the Steam client that any malicious entity could exploit. The bug was a privilege-escalation vulnerability that could allow a bad actor to run any program with the highest possible access rights on a Windows system with Valve’s Steam installed. 

In fact, he discovered more than one bug and only went public after discovering the second bug. After discovering the first bug, he submitted a report on HackerOne that Valve rejected because its HackerOne team didn’t think the bug was a security problem. Then, he discovered a second bug and tried to report it, but Valve banned him from its HackerOne bug bounty platform. 

Forty-five days after Vasily Kravet’s initial discovery, he released the report publicly even though HackerOne banned him from doing so. However, after his public outcry, Valve fixed the privilege-escalation exploit. Valve acknowledged that it made a mistake by classifying Kravet’s initial discovery as out of scope. It also updated its bug reporting guidelines to prevent that type of mistake from happening again. 

Conclusion

Valve’s past and present has shown that it pays little care to ensure its Steam users have the best security. Given its antecedents, you may want to think twice about going along with any of its products or services. Fortunately, Valve has fixed the CS:GO bug that could allow bad actors to hijack your computer system.