You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Every Friday
GamesRadar+
Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.
Every Thursday
GTA 6 O'clock
Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.
Every Friday
Knowledge
From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.
Every Thursday
The Setup
Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.
Every Wednesday
Switch 2 Spotlight
Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.
Every Saturday
The Watchlist
Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.
Once a month
SFX
Get sneak previews, exclusive competitions and details of special events each month!
After two years, Valve has patched the critical remote code execution exploit disclosed by @floesen_ https://t.co/JLdImZVAKrApril 17, 2021
Early last week a non-profit group dedicated to software reverse-engineering publicly announced that a dangerous exploit it had found in the Steam backend had gone unfixed for nearly two years, and worse, Valve was allegedly attempting to prevent them from publicly disclosing its existence. The exploit, involving Steam Invites, allegedly allowed a hacker to gain full control of a victim's system via a remote code execution.
White-hat hacker and software reverse-engineer communities often find exploits in software and report those discreetly to companies. They're often paid for that work through so-called "bug bounty" programs and organizations like HackerOne, however in this case the bounty program was widely perceived as a shield that let the exploit go unfixed: If the good guy discloses the bug they found publicly to try and get it fixed, the reward is put at risk.
The original finder of the exploit has confirmed the fix and says Valve has provided them with permission to disclose details. They are working on a detailed technical writeup for release in the future.
Good news! Valve fixed my recent exploit and gave me permissions to disclose details. That being said, I am working on a detailed technical write-up which I am going to release soon. Stay tuned!April 17, 2021
Public concern has now moved to other alleged Source Engine exploits reported by Secret Club which have gone unfixed. These include a Team Fortress 2 community server exploit and two separate CS:GO RCE exploits.
Update: A Valve rep clarified via email that the issue was specifically with the Source Engine, and not Steam. "We made a number of updates last week to address the issue, and responded to the HackerOne report," the rep said. "We believe the issue is resolved and continue to monitor the situation."
