Source Engine bug could allow hacker to take over a PC with CS:GO Steam invite

If you receive a Steam invite link to play Counter-Strike: Global Offensive (CS:GO), be wary: clicking on it could allow a hacker to take over your computer. If that wasn’t bad enough, the bug could be made to spread to other devices, just like a worm.

According to a Motherboard report, the bug is found in Valve’s Source Engine used by CS:GO, Dota 2, Team Fortress 2, and others. A security researcher who goes by the name of Florian said he reported the vulnerability to Valve via the bounty program in 2019, but while it has been fixed in almost all of the games, it’s still present in CS:GO.

“Florian said that he was able to code an exploit to take advantage of the bug that works 80 percent of the time,” writes the publication. He also warned of hackers using it to infect other machines.

“Once you infected somebody this person can be weaponized in order to infect their friends and so on,” the researcher explained.

Valve, it seems, has a reputation for not being quick off the mark when it comes to addressing reported bugs. Carl Schou, the founder of the not-for-profit Secret Club group of security researchers, noted that Valve failed to acknowledge two other vulnerabilities reported by members of the group.

“Valve’s response has been a complete disappointment right from the start. Our experience has always been slow response times, with little to no patches being pushed to production,” he told Motherboard. “They truly don’t care about the security and integrity of their games.”