Hackers can remotely execute the exploit via Steam invites and community servers. Valve was informed of this exploit five months ago but is yet to fix the issue.

The Secret Club, a group of ethical hackers has gone public with a Source Engine exploit that allows hackers to steal player information if they simply click on an invite. Accepting invitations to community servers can also put players’ data at risk. The group claims Valve is aware of this bug for quite some time, claims the group.

An exploit that puts CS: GO and TF2 player information at risk

A member of the Secret club who goes by the Twitter handle @floesen_, found the exploit over two years ago. The exploit is possible via a remote code execution flaw that affects all source engine games. More importantly, hackers can trigger the exploit via Steam invites and community servers.

So why did the reverse-engineering not-for-profit group wait so long before going public? Apparently, The Secret Club had informed Valve of this bug several months ago. But Valve prevented them from publicly disclosing this information but has still not patched the exploit. 

In a series of posts on Twitter, The Secret Club highlights how hackers can exploit this loophole. Unsuspecting players could end up with their information in the public domain leading to potentially malicious activities. 

In a subsequent post, Secret Club provides an exact timeline of the events. Valve has been aware of this exploit for five months but is yet to take any action. 

The exploit also puts Team Fortress users at risk if they simply join an infected community server. Hackers can run scripts to steal the passwords and skins of everyone in a community server lobby. There could also be bigger problems for players as hackers can, in theory, infect their systems with malware. 

Hackers can send invites to multiple accounts and in the process, steal data from many accounts at once. This is a serious exploit that can affect thousands, if not millions of users.

How to protect yourself from the Source Engine exploit?

With Valve yet to release any fix, players have to take some precautions. For starters, players should not accept or click on messages from any non-Steam friends. To be safe, it is advisable not to join community servers for the time being. 

Ethical hackers often find exploits and bring them to the publisher’s attention. While The Secret Club has brought this to Valve’s attention several months ago, Valve has not yet paid the ethical hackers for their efforts. For now, it is unsure if this source engine exploit works with Dota 2 custom lobbies. Dota 2 moved to the Source 2 engine in 2015

Stay tuned to esports.gg for the latest news and updates.

Rohan Samal -

Rohan Samal

| Twitter: @rohan_esports | Twitch: rohan_3105

Junior editor at Esports.gg. Still waiting to attend my first TI.