If you click on a link and make a purchase we may receive a small commission. Read our editorial policy.

Valve fix Steam security exploit after two years

It could've let hackers take remote control of players' PCs

Last week, hack-hunting group Secret Club revealed several exploits affecting some of Valve's games that could let hackers gain remote access to players' PCs. The group claimed they'd reported these exploits to Valve previously, but the company hadn't done anything about it - until now. Secret Club say Valve have fixed an exploit the company had supposedly known about for two years, which could've allowed hackers to steal player data through Steam invites.

This type of hack called a "remote code execution flaw". These allow hackers to run scripts on other players' devices to gain full control of their system, which could then be used to nick data, wipe hard drives, or do whatever other harmful things hackers like doing with other peoples' stuff.

Secret Club show how this exploit could be triggered through a Steam invite in the Tweet below. It seems the hacker can send another player an invite, and when that player accepts, the hacker can open whatever they want on that player's device. The scary part is that this was made possible due to a bug in the Source Engine, so any games made in that engine could've been affected (like CS:GO or Team Fortress 2).

The group say that Valve have now sorted this exploit though, and the Secret Club member who discovered the hack, "Florian", has been given permission to reveal the details about it. This hack-hunter says they're currently working on a "detailed technical write-up", so do keep an eye on their Twitter if you're interested in the follow-up.

Hopefully, this is the start of multiple remote code execution flaws being fixed by Valve, seeing as last week Secret Club also showed this type of exploit used in a few more ways. One involved hackers triggering the flaw inside malicious community servers in TF2. They'd be able set up a server, then send remote code executions to everyone inside it. There are also multiple ways it can be used in CS:GO.

Topics in this article

Follow topics and we'll email you when we publish something new about them.  Manage your notification settings.

About the Author
Imogen Beckhelling avatar

Imogen Beckhelling


Imogen is a lore enthusiast and lover of all the fun shenanigans game communities get up to. She spends too much time playing Overwatch, and not enough time having interests that aren't to do with video games.

Rock Paper Shotgun logo

We've been talking, and we think that you should wear clothes

Total coincidence, but we sell some clothes

Buy RPS stuff here
Rock Paper Shotgun Merch