Source Engine Vulnerability Allows Third Party Servers to Compromise User’s PCs

By | February 21, 2016

A user on Reddit has discovered an exploit that allows third party servers to write files of any type, including executable files, to any location on a client’s computer. The exploit also allows them to spoof the steam id, bypass cmd restrictions, and displaying a higher playercount than is actually true.

By sending a .bat file to startup folders on the user’s computer, as well as additional files, a source engine server could infect any user that connects to their server with a virus. Source Engine games utilizing 3rd party servers include all versions of Counter Strike, Team Fortress 2, Garry’s Mod and more. It is recommended that you only play on official servers until Valve patches this exploit. Single player  in source engine games is not affected, and playing on official Valve servers is not an issue either. You are only at risk when playing on Community servers. Keep in mind that matchmaking in several source engine games such as Team Fortress 2 or Counter Strike: Global Offensive(non-competitive) will place you on a community server.

In a worst case scenario, a community server could infect a user with ransomware, locking the uses computer and encrypting their files until they pay a large fee to recover the files. This can result in users losing tons of important data stored locally or ending up needing to spend enormous amounts of money to pay a ransom to recover it, if they fail to create backups. We always recommend backing up any important data, even if you’re confident in your hardware stability and system security. They could also install spyware intended to hack Steam accounts, steal credit card numbers, or find other personal information.

The user did not demonstrate how to recreate the bug, they only demonstrated that the bug does exist. Even though they recorded 2 videos as a proof of concept, it’s always possible that they could have faked it. There’s still a high chance that the exploit is real, so it’s strongly recommended that you avoid multiplayer until Valve responds. They claimed to have emailed Valve with the specific directions, but decided to go to the public after they didn’t respond after a day. Even though the details of how to recreate the exploit are not public knowledge, simply knowing that it exists will encourage hackers to try and replicate the bug, as they now know there’s a way to do so.

Do not rely on your  Anti Virus software to catch a potential virus install, as anti-virus software very often misses day-one exploits, and can’t catch everything. It’s best to rely on both anti-virus and smart decision making to avoid having your PC compromised.