Steam Invites and TF2 community servers may have been used to hijack PCs, hack hunters claim

(Image credit: Valve)

An exploit in Source Engine games like Team Fortress 2 and Counter-Strike: Global Offensive may have let hackers remotely access players' PCs for years, a non-profit reverse-engineering group revealed this weekend.

In a series of tweets, Secret Club revealed that all Source games share a remote code execution flaw that can be triggered via Steam invites or community servers. In an email to RPS, Secret Club explained that this exploit gave the attacker "full control over the victim's system, which can be used to steal passwords, banking information, and more".

Most damning of all is that this exploit is allegedly still active—and despite discovering one instance two years ago, Secret Club claims Valve is trying to prevent it from sharing the knowledge publicly.

Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. pic.twitter.com/0FWRvEVuUXApril 10, 2021

Other, similar instances of the exploit (such as this CS:GO are more recent. But months after reporting the issue to Valve, Secret Club members report the studio has yet to even acknowledge the issue.

On the topic of our previous thread, we have @brymko @cffsmith @scannell_simon showcasing their remote code execution 0-day for CS:GO. This has been reported to Valve months ago, but they have neither paid them nor acknowledged the exploit. pic.twitter.com/yGUJTZZzrOApril 10, 2021

Fears of a Source Engine security breach were raised last April, when leaked source code for TF2 and CS:GO revealed potential remote code execution exploits. At the time, Valve explained that the leaks were in fact "limited" builds from 2017-18, and posed no danger to players.

"From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security)," Valve said in a statement to PC Gamer at the time. "We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise."

We've contacted Valve for comment on these latest exploits.

PRODUCTS

20 years ago, Nat played Jet Set Radio Future for the first time, and she's not stopped thinking about games since. Joining PC Gamer in 2020, she comes from three years of freelance reporting at Rock Paper Shotgun, Waypoint, VG247 and more. Embedded in the European indie scene and a part-time game developer herself, Nat is always looking for a new curiosity to scream about—whether it's the next best indie darling, or simply someone modding a Scotmid into Black Mesa. She also unofficially appears in Apex Legends under the pseudonym Horizon.