Despite growing interest from large companies in cybersecurity , 2021 is showing that there are still serious vulnerabilities in the software we use every day. This week we have known a serious flaw in WhatsApp that the company does not want to patch, and now the same thing happens with Valve , where three different security flaws allow taking control of any computer that has Steam installed.
The base vulnerability has been present in the Steam client for Windows 10 for at least two years . Cybersecurity researchers from The Secret Club group reported the first of the flaws two years ago to Valve, but the company has ignored it and did not respond to them. The last ruling they reported was five months ago, but they have also been ignored, and even threatened with legal action if they publish it. However, they have decided to make the three bugs public in order to press for them to be patched.
Games like CS: GO, affected by three glitches
The vulnerabilities are present in all games based on Valve’s Source engine , including even the most up-to-date version of it. The way to activate the first bug is by simply inviting a game through your Steam friends list. If we receive it and give it to Play, the game will open and the vulnerability will be executed.
With this vulnerability, the attacker has full access to the computer , and the researchers demonstrate the success of the flaw by opening the Calculator application. In the following video we can see how easy it can be used:
The failure can also be exploited in another way, where the user only has to enter a community server , which are those managed by users privately in games like CS: GO outside of Valve officials. These servers stand out for offering personalized maps or game modes, and in almost all cases files are downloaded that can endanger our PC. In this case, it is not even necessary to download the files so that an attacker can take control of our computer completely.
There is also a third flaw that also leads to remote code execution through a zero-day vulnerability just by running a modified in-game map , which would need to be downloaded. In this case we also find a video to see how it works:
The bug is not yet patched
While Valve decides or not to patch these three flaws, it is important not to accept friend invitations from strangers, much less their invitations to play. If you want to be completely protected and you don’t usually play with friends, one option is to put yourself as Offline in the Friends List , so that no one can invite you to play or open a chat for you.
The problem with this bug is that, even if you avoid invitations from strangers, this bug can also come to you through your friends if hackers have managed to take control of your computer. As soon as how the exploit works is discovered , we could see a huge spread by attackers through the friends list of Steam users. By taking control of a PC, not only can they open Steam, but they can steal your money, messages, files, etc. And having Steam Guard won’t do much good.
