According to a report published by Motherboard on Wednesday, Valve has been sitting on a critical Remote Code Execution (RCE) flaw since June 2019. A security researcher by the name of Florian told Motherboard that he alerted Valve about this bug back then, it is still present in some Source Engine games that are still available via Steam.
Florian demonstrated the flaw in action in a call with Motherboard. The bug is pretty dangerous, as you can see that a hacker is able to take over a computer by getting a Steam user into clicking an invitation to play Counter Strike: Global Offensive (CS:GO). Valve has actually fixed this RCE vulnerability in other Source Engine games like Team Fortress, but it is hard to fathom why the popular CS:GO would remain unpatched in this regard.
Another aspect of the RCE bug discovered, which should make it a high priority to fix, is that it is possible to be modified to automatically spread from one Steam computer to another like a network worm. “Once you infected somebody this person can be weaponised in order to infect their friends and so on,” Florian explained to Motherboard.
Valve seems to have been slow to react to the RCE exploit report by Florian uploaded to bug bounty platform Hacker One. The slow and piecemeal response has left such white hat hackers such as Florian disappointed in the firm. Valve doesn’t have the best history with friendly hackers. For example, in 2019 the firm is said to have banned a security researcher from its bug bounty program after he found a similar bug in Steam, which left computers open to take over remotely.