A group of security researchers known as The Secret Club has identified critical vulnerabilities that allow remote code execution (RCE) in Valve’s Source 3D game development technology. Source 3D technology is the engine behind Counter-Strike, Half-Life, Garry’s Mod, Team Fortress, Left 4 Dead and Portal.
When executing code remotely, a cybercriminal can access and steal confidential information, like development data and even user credentials and bank information (players).
On Twitter, the group has already published several content and videos demonstrating the vulnerabilities, but without showing too much, since, according to them, Valve, although it fixed the problem in some games, still does not update Counter Strike: Global Offensive (CS: GO), one of the company’s most popular games.
According to BleepingComputer, which contacted a member of the group, even after all this time, researchers cannot make detailed reports of the vulnerabilities, as they have not yet been fixed and some games are still affected.
The first vulnerability was reported by Florian, one of the group’s members, through HackerOne’s bug bounty program in June 2019. The reward was paid in late 2020, but the researcher has not yet been informed of the progress of corrections.
In an interview with BleepingComputer, Florian revealed that Valve’s last news on the case was given in late 2020, when the agreed amount for the reward was paid.
The Valve is one of the companies registered in HackerOne’s bug bounty program that does not allow researchers to detail vulnerabilities that have not yet been fixed, even after a period of 90 to 180 days. BleepingComputer has contacted Valve, but has not yet received a response.
Sources: BleppingComputer; The Secret Club.
See the original post at: https://thehack.com.br/vulnerabilidades-de-execucao-de-codigo-remoto-ainda-afetam-cs-go/?rand=48873
