News > FPS > CS:GO

Critical Source Engine CS:GO bug: Hackers can use exploit to take over PCs

As found by a security researcher, hackers can use a remote code execution bug in CS:GO's source engine to take over players' PCs with a Steam Invite.
Critical Source Engine CS:GO bug: Hackers can use exploit to take over PCs

Fans of Valve's highly competitive tactical shooter, CS:GO, have been begging for the game to move to the Source 2 engine for years. Despite requests from fans, Valve has not moved CS:GO to Source 2, while moving their other big esports title, Dota 2, over years ago. Now, information has come to light suggesting the Source engine powering CS:GO, Portal, Team Fortress and more has a critical security bug that can be exploited by hackers to take control of gamers' PCs remotely...and it has been there for years.

CS:GO exploit in Source engine

Before we get into the gritty details, the CS:GO Source Engine exploit could allow hackers to take over your PC, then using your PC to take over more. Essentially, this can be done via a Steam invite...

The bug's technical term is "remote code execution (RCE)", a flaw in Valve's Source Engine code. Worst of all, this bug was found two years ago by a security researcher called Florian, who reported it to Valve’s bug bounty program on HackerOne.

CS:GO bug exploit source engine valve hackers remote code execution steam invites(Picture: Florian)

To make things clear, when this Source engine bug was found, all games built on the engine was affected. However, Valve might have patched some of these titles. CS:GO remains unpatched for this critical security vulnerability.

The last time Florian heard anything from Valve was six months ago, when they paid him the bounty for finding this security flaw and said they were in the process of fixing the problem.

Fast-forward six months later and it is not fixed, at least not in CS:GO. The video below showcases Florian using the remote code execution. Of course, specifics on how to do this was not revealed to safeguard gamers.

This bug in Valve's Source engine apparently works 80% of the time, which is extremely high.

Recently, Florian took to Twitter to explain: "I believe some things need to be clarified regarding my source engine exploit. First of all, I decided not to put people at risk by disclosing technical details before this gets fixed.

"I submitted the bug at H1 roughly 2 years ago and it got verified/triaged after a couple of months. That being said, I think it is reasonable to say that Valve had plenty of time to fix this issue."

Florian continued by saying he is not trying to harm anyone, and he just wants to see this bug getting fixed. However, he feels as if the bug will never get fixed unless this issue is addressed publically.

Maybe, just maybe, Valve should move CS:GO, alongside their other titles, over to Source 2 as they did with Dota 2. 

For now, maybe it is your safest bet to not lick on any suspicious Steam invites. We have no idea if hackers are currently using this Source Engine exploit to great effect, or how difficult this would be to accomplish.