CSGO exploit allows hackers to steal passwords, and Valve hasn’t fixed it

Alex Tsiaoussidis. Last updated: Apr 11, 2021
CSGO hacker exploit

CSGO players have been warned about a problematic exploit that allows hackers to steal passwords. Valve has apparently known about it for months and still not fixed it.

The Secret Club, a not-for-profit reverse-engineering group, discovered the exploit more than two years ago. They claim to have brought it to Valve’s attention back then. However, it has never been acknowledged, let alone fixed.

Now, they’ve decided to finally open up about it after claiming Valve has prevented them from publicly disclosing it for years.

The exploit allows hackers to steal CSGO player’s cosmetics, passwords, and data.

The first post pointed out the exploit allows hackers to access a user’s data using Steam invites. It’s tied to a remote code execution flaw that affects all source engine games, including CSGO. 

“Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it.”

Unfortunately, that’s only the beginning. A hacker can use the remote code execution flaw to practically do anything they want on a user’s system, including accessing data and running programs.

“On the topic of our previous thread, we have @brymko @cffsmith @scannell_simon showcasing their remote code execution 0-day for CSGO. This has been reported to Valve months ago, but they have neither paid them nor acknowledged the exploit.”

Last but not least, they revealed the scariest news of all. Hackers can also host community servers, send remote code executions to everyone in the lobby, and run a script to steal their passwords and skins, and even infect their hard drive with malware.

“Third times a charm; @the_secret_club member mev showcases their remote code execution 0-day for CSGO. This has been reported to Valve 5 months ago with no response from Valve.”

It’s bad enough that the exploit exists. Players will have to think twice about playing CSGO if they care about their data.

However, it’s more concerning that Valve has supposedly known about it for a while now and not fixed it, let alone swept it under the rug. They are yet to issue a statement on the matter.

If you are concerned about giving away your precious data booting up CS:GO, you might have stay away from the game for now.