Hack-hunting group Secret Club have revealed multiple exploits affecting Source Engine games like CS:GO, which could allow hackers to steal player data via Steam invites and community servers. They claim they reported one of these exploits to Valve two years ago, but not only are the company yet to patch it, but they allegedly prevented Secret Club from publicly disclosing the information too.
Secret Club are a not-for-profit reverse engineering group who've found a number of exploits with Valve's software, which they explain in a series of posts on Twitter. Each of these exploits are remote code execution flaws, which Secret Club told me via email gives a hacker "full control over the victim's system, which can be used to steal passwords, banking information, and more."
Below they show how the exploit can be activated through Steam invites.
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUX— secret club (@the_secret_club) April 10, 2021
Two more posts (here and here) show a type of the remote execution exploit working in CS:GO. This is done in the game itself, rather than through Steam. Secret Club claim this one was reported to Valve "months ago", but they allegedly haven't acknowledged the issue.
Remote code execution is shown being used slightly differently in Team Fortress 2, where hackers can trigger the flaw while hosting a community server. Once players are in the server, hackers can send these remote code executions to everyone inside it, and get access to personal data, passwords, and all those things you don't want hackers getting hold of. Scary stuff.
Valve have yet to make any sort of statement about these exploits. I've contacted them for comment, and will update this article if I receive a response.