On Monday, we informed that the non-profit group The Secret Club revealed a user-threatening exploit in Valve games that could enable hackers to steal passwords, skins and various user data. Today we learned from the same source that the bug, which has now existed for over two years, has finally been fixed. At least partially...
The bug, which was dangerous for Counter-Strike: Global Offensive and Team Fortress 2 players and was related to a vulnerability in remote code execution, was present in all games based on the Source engine. It was enough to accept an infected invitation on Steam for hackers to gain access to our data. Valve was supposed to find out about the flaw two years ago, but for all this time did nothing about it. More than that, it tried to keep the information about its existence from being disclosed. When the community learned the truth, however, it turned out that not only was the problem fixable, but it could be done surprisingly quickly.
Remote code execution (RCE) is a situation when a hacker gains access to another person's computer or an entire server and manipulates it without the owners' permission. Malware is usually used to take over a system.
Which is not to say that it was fixed perfectly - some of the ways hackers could steal our data have been blocked, but others still exist. Twitter user teapotd shared a short video showing that you can still remotely execute code in CS:GO after accessing a malicious server hosted by the hackers. We continue to advise caution.
While the issue is yet to be fully resolved, it is hoped that it will be, as another Twitter user, floesen_ - who was the first to alert Valve to the bug's existence - has been assured by Gabe Newell's company that the issue will be addressed, and details will be released. floesen_ is about to prepare a detailed technical report, so expect further information on this matter.