The non-profit organization group Secret Club previously publicized a severe exploit that involves Steam invites, an issue that allows hackers to take control over player's computers via remote code execution. The worst part is that Valve had not disclosed this troubling feature to the public that has been going on for two years...until now.
Secret Club Goes Public With Fix on Steam Invite Hack
As reported by PC Gamer, the Secret Club posted on Twitter about this Steam invite hack after Valve remained unresponsive to the issue of cyber hacking on Steam. The publication noted that Valve has secretly known about this hack and has attempted not to share it with the public.
After the statement from the non-profit group, Secret Club member Florian posted that Valve has decided to give them permission to fix the invite hack. The software engineer is currently working on a detailed technical write-up about the fix that they will release soon.
Good news! Valve fixed my recent exploit and gave me permissions to disclose details. That being said, I am working on a detailed technical write-up which I am going to release soon. Stay tuned!— Florian (@floesen_) April 17, 2021
As PC Gamer noted, white-hat hackers and software reverse-engineer communities often find exploits in software and report it to the game developers secretly. The engineers are often paid for their troubles--which are typically known in the business as "bug bounty."
Steam Invite Issue: What Is It About?
In a previous report by Lorenzo Franceschi-Bicchierai of Motherboard, in the Steam invite bug, hackers can potentially control the player's PC by having them click on an invite to play "CS:GO" on Steam.
However, the bug does not utilize the Source Engine, which is used for other Valve game titles like "Team Fortress 2," "Portal," and "Left 4 Dead," but it could be patched on other game titles.
According to a Secret Club tweet, the group had discovered a remote code execution flaw affecting all source engine games. Back then, it has yet to be patched as Valve prevented players from publicly disclosing it.
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUX— secret club (@the_secret_club) April 10, 2021
After posting the Steam invite hack, other players posted on Twitter, too, and said that Valve entirely ignored them as they tried to address the problem with them. Twitter user Bien Pham even posted a demo video how the bug can locate RCE by connecting to a malicious server, then the chain will be completed when the game is restarted.
How Gamers Can Protect Themselves From the Steam Invite Hack?
In a previous iTech Post report, we listed some tips that players should follow so as not not be a helpless victim from this Steam invite hack:
- Be cautious when accepting invites from other people online that they do not know to protect them from the hack. Sticking to their trustworthy online friends should reduce the chance of getting the hack than clicking on a unanimous invite from a stranger.
- When players are finished playing on Steam, they should check for any unauthorized software downloads they are unfamiliar with. Checking on a daily basis maximizes the chance of knowing if players were victims of this invite hack. Note that hackers can get into the PC's data and can access files from the computer.
- Staying away from Steam or taking abstinence can indeed reduce the chance of getting the hack on a player's PC. Also, following Secret Club on Twitter and other software reverse-engineering groups like HackerOne online can get players updated on the current situation if the hack has been fixed in "CS:GO" and other game titles on Steam.