Last week, hack-hunting group Secret Club revealed several exploits affecting some of Valve's games that could let hackers gain remote access to players' PCs. The group claimed they'd reported these exploits to Valve previously, but the company hadn't done anything about it - until now. Secret Club say Valve have fixed an exploit the company had supposedly known about for two years, which could've allowed hackers to steal player data through Steam invites.
This type of hack called a "remote code execution flaw". These allow hackers to run scripts on other players' devices to gain full control of their system, which could then be used to nick data, wipe hard drives, or do whatever other harmful things hackers like doing with other peoples' stuff.
Secret Club show how this exploit could be triggered through a Steam invite in the Tweet below. It seems the hacker can send another player an invite, and when that player accepts, the hacker can open whatever they want on that player's device. The scary part is that this was made possible due to a bug in the Source Engine, so any games made in that engine could've been affected (like CS:GO or Team Fortress 2).
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUX— secret club (@the_secret_club) April 10, 2021
The group say that Valve have now sorted this exploit though, and the Secret Club member who discovered the hack, "Florian", has been given permission to reveal the details about it. This hack-hunter says they're currently working on a "detailed technical write-up", so do keep an eye on their Twitter if you're interested in the follow-up.
Hopefully, this is the start of multiple remote code execution flaws being fixed by Valve, seeing as last week Secret Club also showed this type of exploit used in a few more ways. One involved hackers triggering the flaw inside malicious community servers in TF2. They'd be able set up a server, then send remote code executions to everyone inside it. There are also multiple ways it can be used in CS:GO.