Tag Archive for: Valve

CS:GO hackers can inject malware to steal passwords; Valve yet to fix the vulnerability

/in


A new vulnerability related to CS:GO has come to light, as The Secret Club, a not-for-profit reverse-engineering group, tweeted about a security flaw in CS:GO, which hackers can use to run programs on a user’s system.

This potentially means hackers can steal skins and passwords and inject malware into a CS:GO player’s system using the flaw, which is technically called a remote code execution flaw.

Two years ago, The Secret Club members discovered this vulnerability in Valve’s game and let Valve know about it through a bug-bounty platform called HackerOne.

Valve is a customer of HackerOne, which provides cybersecurity solutions to many more big companies, like Uber, Goldman Sachs, and Nintendo, to name a few.

Hackers can exploit CS:GO’s critical security flaw to breach user’s systems

From what is implied from different reputed sources, the ethical hackers are under a non-disclosure agreement with the HackerOne platform, which deters them from disclosing the vulnerability to the public.

As can be made out of the videos in the tweets of the Secret Club, hackers can use Steam invites to access a user’s system utilizing a remote code execution flaw that affects all source engine games, which includes CS:GO, Titanfall 1, Titanfall 2, Apex Legends, etc.

This is one of the first vulnerabilities that the Secret Club reported, and this was two years ago. To be precise, it was Florian from the Secret Club, and needless to say, this is still to be fixed from the side of Valve.

In a second tweet on…

Source…

Valve fixes zero-day exploit for Steam in latest beta – Neowin

/in

Valve fixes zero-day exploit for Steam in latest beta  Neowin

Valve has fixed a zero-day exploit in the latest Steam beta, released earlier today, that could potentially be used to mount an escalation of privilege attack.

“zero day exploit” – read more

Valve issues patch for Steam zero-day flaws in latest beta channel update – The Next Web

/in
  1. Valve issues patch for Steam zero-day flaws in latest beta channel update  The Next Web
  2. Valve patches recent Steam zero-days, calls turning away researcher ‘a mistake’  ZDNet
  3. Steam cleaned of zero-day security holes after Valve turned off by bug bounty snub outrage  The Register
  4. Researcher banned from Valve’s bug bounty exposes second Steam zero-day  The INQUIRER
  5. Researcher releases second Steam zero-day vuln  bit-tech.net
  6. View full coverage on read more

“zero day exploit” – read more

Valve Clears Up Nothing With Its Latest Explanation Of What Games It Will Ban As ‘Troll Games’

/in

You will recall that several months back, Valve released a statement outlining what it considered to be sweeping changes to its game curation duties. While the company made a great deal of forthcoming tools on the Steam store for filtering game searches, pretty much everyone focused on the platform’s claim that it would no longer keep any game off its platform unless it was “illegal or a troll game.” That, of course, still left all kinds of ambiguity as to what is and is not allowed on the platform and it provided a wide avenue through which Steam could still drive its oversight truck. This led to our having a podcast discussion in which I pointed out repeatedly that this was every bit as opaque a policy as the one that proceeded it, which was followed by the real-world example of developers across the spectrum pointing out that they in fact had no idea what the policy actually meant. In other words, the whole thing has generally been an unproductive mess.

A mess which Valve tried to clean up this past week in an extensive blog post on its site which attempted to define what it meant by “troll games.” As the folks at Ars point out, this attempt at clarity is anything but. Much of what Valve lays out as “troll games” makes sense: scam games that work Steam’s inventory system, or try to manipulate developer Steam keys, or games that are simply broken due to a lack of seriousness on the part of the developer. But then it also said the definition included what most people thought of in the original announcement: games that “just try to incite and sow discord.”

Valve’s Doug Lombardi said at the time that Active Shooter was removed from Steam because it was “designed to do nothing but generate outrage and cause conflict through its existence.” That designation came despite the fact that the developer said the game was “a dynamic SWAT simulator in which dynamic roles are offered to players” and that he would “likely remove the shooter’s role in the game by the release” after popular backlash to the idea.

As the developer noted at the time, too, “there are games like Hatred, Postal, Carmageddon and etc., which are even [worse] compared to Active Shooter and literally focuses on mass shootings/killings of people.”

It’s as good an example as any for pointing out what has always been true about art forms: one person’s inflammatory content is another person’s artistic genius. More worrisome, Valve’s own words on its policy put the company squarely in the business of mind-reading, with its post suggesting that troll developers are those that aren’t actually interested in making or selling a game. It relies on Valve’s own analysis of a developer’s “good faith” in putting forth the game.

While good-faith developer efforts can obviously lead to “crude or lower quality games” on Steam, Valve says that “it really does seem like bad games are made by bad people.” And it’s those bad games from bad people that Valve doesn’t want on Steam.

Absent a mind-reading device, determining a developer’s motives isn’t an easy task. Defining what separates a good faith effort to sell a game from a “troll” involves a “deep assessment” of the developer, Valve says, including a look at “what they’ve done in the past, their behavior on Steam as a developer, as a customer, their banking information, developers they associate with, and more.”

We could spend a great deal of time discussing how qualified Valve is in making these determinations, or what value such curation provides for a platform like Steam. Or we could talk instead about whether this treatment sets video games back a notch or two as an art form, with corporate oversight playing the role of evaluating each artist’s intent.

But the real lesson here is that, whatever you think of Valve’s definitions above, it is clear as day that these explanations are not in line with the overall message in Valve’s original notice of the change in policy. The company explicitly said at that time that it didn’t believe it should be in the business of deciding what types of games with what types of content users should see on the platform. The whole point of this was for wide inclusion, whereas it seems really hard to see any daylight from this updated explanation and Steam’s historical curation policy. Valve still gets to decide what goes on the platform.

So many words and so much time for so little effect, in other words.

Permalink | Comments | Email This Story

Techdirt.