Valve has finally fixed a Steam exploit that was first reported two years ago and was publicly brought up earlier this month by non-profit reverse-engineering group Secret Club.
Secret Club member @floesen_, who reported the remote code execution exploit, tweeted on April 17 that Valve had fixed the issue and gave them permission to disclose the details. They also said that they are currently working on a detailed technical write-up which will be released soon.
Secret Club, whose self-described skillset “ranges from exploit hunting to game hacking to system emulation”, tweeted about the exploit on April 10. Thee exploit was described as a remote code execution flaw that affected every game that used the Source Engine, and was said to be triggered via Steam invites. Secret Club said at the time that Valve had not yet patched the issue and was also preventing the group from providing public disclosure on it.
While the Steam invite exploit has now been fixed, Secret Club has brought up other issues that have not yet been addressed. Secret Club tweeted videos of their members showcasing remote code executions for Counter-Strike: Global Offensive. In this case, the group said that the exploit had been reported “months ago” but had not yet been acknowledged by Valve.
It also turns out that the Steam invite exploit was not the only years-long issue that had not been attended immediately, with Secret Club tweeting that a remote code execution that affected Team Fortress 2 was also reported two years ago but had yet to be patched. Let’s hope that Valve doesn’t take too long to address these other exploits.