If you play CS:GO, Half-Life, Team Fortress 2 or Left 4 Dead, you may want to be wary of any Steam invitations you get.
That’s because the Source engine, which powers CS:GO and several other games, seems to include an exploitable vulnerability that could let cybercriminals to inject malware via Valve’s popular gaming platform. What’s worse, though, is that Valve has apparently known about this flaw for two years and still hasn’t fixed it.
This information comes from BleepingComputer, a security news site that focuses on viruses, malware, ransomware and similar threats.
The story of the Steam-invitation malware begins two years ago, when security-research team Secret Club reported on Twitter that they’d found a bug in the Source engine.
This prominent game engine powers a number of titles, including Counter-Strike: Global Offensive (CS:GO), Left 4 Dead 2 and even Portal. The number of people playing a Source game on Steam at any given time can number in the millions.
Secret Club said it went through all the proper channels. Florian, a secret club member, submitted the vulnerability to Valve’s bug bounty program, which paid him for his efforts and promised to fix the Source code. However, two years have gone by since then, and as of CS: GO’s most recent patch, the issue is still present.
The bad news is that if you’re looking for a way to protect yourself, there isn’t really one, save to avoid Source engine games entirely. That’s not practical, though, given that these games comprise some of the most popular multiplayer titles on Steam.
How the attack works
Here’s how the potential exploit works: An unsuspecting user logs into Steam and starts playing CS:GO (or a comparable game). A cybercriminal then sends that user a Steam invitation filled with malicious code.
The code takes advantage of a vulnerability in the Source engine and lets the cybercriminal inject additional code into the user’s PC. From there, a malefactor could install malware, draft the computer into a cryptocurrency-mining botnet, install a keylogger — all the standard malicious hacker stuff.
The good news, however, is that Florian has left the exact details of the vulnerability intentionally vague. As far as we know, no one has ever taken advantage of this exploit in the wild, suggesting that it’s probably too obscure and complicated for most hackers to attempt.
Technically speaking, Valve never forbade Florian from discussing the flaw in detail, but Secret Club doesn’t want to take any chances. At present, not knowing how the vulnerability works is potentially the only thing keeping CS:GO players safe.
Valve didn’t respond to BleepingComputer’s request for additional details. Tom’s Guide has also reached out to Valve for comment, and we will update this story when we receive a reply.
It’s anyone’s guess whether a patch for the Source engine is just around the corner or still years off. For now, CS:GO players should invest in the best Windows 10 antivirus software, since it may be the only thing standing between them and a computer full of malware.