Secret Club are a not-for-profit reverse engineering group who’ve found a number of exploits with Valve’s software, which they explain in a series of posts on Twitter. Each of these exploits are remote code execution flaws, which Secret Club told me via email gives a hacker “full control over the victim’s system, which can be used to steal passwords, banking information, and more.” Below they show how the exploit can be activated through Steam invites. Two more posts (here and here) show a type of the remote execution exploit working in CS:GO. This is done in the game itself, rather than through Steam. Secret Club claim this one was reported to Valve “months ago”, but they allegedly haven’t acknowledged the issue. Remote code execution is shown being used slightly differently in Team Fortress 2, where hackers can trigger the flaw while hosting a community server. Once players are in the server, hackers can send these remote code executions to everyone inside it, and get access to personal data, passwords, and all those things you don’t want hackers getting hold of. Scary stuff. Valve have yet to make any sort of statement about these exploits. I’ve contacted them for comment, and will update this article if I receive a response.
