Widely-publicized Steam Invite hack has been fixed

News
By published

Reverse-engineering group Secret Club has announced the patch, but other problems go unfixed.

Early last week a non-profit group dedicated to software reverse-engineering publicly announced that a dangerous exploit it had found in the Steam backend had gone unfixed for nearly two years, and worse, Valve was allegedly attempting to prevent them from publicly disclosing its existence. The exploit, involving Steam Invites, allegedly allowed a hacker to gain full control of a victim's system via a remote code execution.

Members of Secret Club, the non-profit organization that found the exploit, went public on Twitter about its existence after Valve had not taken action to fix the exploit for two years since Secret Club had notified it about the problem.

White-hat hacker and software reverse-engineer communities often find exploits in software and report those discreetly to companies. They're often paid for that work through so-called "bug bounty" programs and organizations like HackerOne, however in this case the bounty program was widely perceived as a shield that let the exploit go unfixed: If the good guy discloses the bug they found publicly to try and get it fixed, the reward is put at risk.

The original finder of the exploit has confirmed the fix and says Valve has provided them with permission to disclose details. They are working on a detailed technical writeup for release in the future.

Public concern has now moved to other alleged Source Engine exploits reported by Secret Club which have gone unfixed. These include a Team Fortress 2 community server exploit and two separate CS:GO RCE exploits.

Update: A Valve rep clarified via email that the issue was specifically with the Source Engine, and not Steam. "We made a number of updates last week to address the issue, and responded to the HackerOne report," the rep said. "We believe the issue is resolved and continue to monitor the situation."

Jonathan Bolding
Contributor

Jon Bolding is a games writer and critic with an extensive background in strategy games. When he's not on his PC, he can be found playing every tabletop game under the sun.

Read more
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Steam logo
A web3 free-to-play survival game found to be a front for installing malware on your PC has finally been removed from Steam
Masked Counter-Terrorist in helmet in forefront with sunglasses and beret-wearing CT in background touching headset
An ambitious Counter-Strike mod to emulate the OG 1.6 experience in Global Offensive has been rejected by Valve after 8 years of development
Path of Exile 2 early access class key art
Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug
A Path of Exile 2 sorceress casting flaming skulls in a hellish landscape
'We are incredibly sorry': Path of Exile 2 devs apologise for data breach that saw 66 accounts snatched and personal info potentially stolen
Team Fortress 2 Engineer
Valve releases 'Team Fortress 2 SDK,' enabling creators to 'build completely new games based on TF2'
Latest in Platforms
midnight murder club
Five new Steam games you probably missed (March 17, 2025)
Screenshot of Children of Clay showing a mysterious clay model
Five new Steam games you probably missed (March 10, 2025)
discord
Brace yourself for Discord to get worse: Reports swirl that the company is in talks with bankers about opening itself up to shareholders
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.
Steam users react ecstatically to update that lets them access their heaving game notes via the web, also it fixes Monster Hunter Wilds video recording
HasanAbi
Twitch streamer Hasan Piker suspended after saying Republicans would 'kill Rick Scott' if they really cared about Medicare fraud
Screenshot from Faceminer showing a PC desktop with several windows open
Five new Steam games you probably missed (March 3, 2025)
Latest in News
Inzoi -
In good news for Sim-murdering sickos, Inzoi has '16 different types of deaths'
A photo of Nvidia's Zorah graphics demo running a large gaming monitor
Nvidia's expanded Zorah demo tells us how AI is the future of graphics: 'There's no rasterization going on at all. This is all ray traced and the amazing part is that it's actually faster than rasterizing'
Ghoul in sunglasses
After years of playing as stupid, boring humans in Fallout, you can finally channel your inner Walton Goggins and become a ghoul in Fallout 76
Astarion, after being asked whether he'd like a kiss, winces in the opposite of anticipation in Baldur's Gate 3.
Hasbro will be ready to share news about the future of Baldur's Gate 'in pretty short order'
WoW Classic: Season of Discovery
World of Warcraft Classic’s Season of Discovery may be teasing a legendary weapon that players have speculated is in the game for two decades
A smiling man in military fatigues
Get in here, stalker: Stalker 2’s Patch 1.3 is here with a whopping 1,200 fixes
More about platforms
midnight murder club

Five new Steam games you probably missed (March 17, 2025)
Screenshot of Children of Clay showing a mysterious clay model

Five new Steam games you probably missed (March 10, 2025)
Inzoi -

In good news for Sim-murdering sickos, Inzoi has '16 different types of deaths'
See more latest
Most Popular
Inzoi -
In good news for Sim-murdering sickos, Inzoi has '16 different types of deaths'
A photo of Nvidia's Zorah graphics demo running a large gaming monitor
Nvidia's expanded Zorah demo tells us how AI is the future of graphics: 'There's no rasterization going on at all. This is all ray traced and the amazing part is that it's actually faster than rasterizing'
Sennheiser HD 550 on a white box.
Sennheiser says it 'will not become a gaming brand' but its new HD 550 are a good excuse to use audiophile headphones for gaming
Ghoul in sunglasses
After years of playing as stupid, boring humans in Fallout, you can finally channel your inner Walton Goggins and become a ghoul in Fallout 76
Astarion, after being asked whether he'd like a kiss, winces in the opposite of anticipation in Baldur's Gate 3.
Hasbro will be ready to share news about the future of Baldur's Gate 'in pretty short order'
WoW Classic: Season of Discovery
World of Warcraft Classic’s Season of Discovery may be teasing a legendary weapon that players have speculated is in the game for two decades
A smiling man in military fatigues
Get in here, stalker: Stalker 2’s Patch 1.3 is here with a whopping 1,200 fixes
Public Eye trailer still - dead-eyed police officer sitting for an interview
I'm creeped out by this trailer for a generative AI game about people using an AI-powered app to solve violent crimes in the year 2028 that somehow isn't a cautionary tale
Gallywix wears an uneasy smile as he's confronted by Xal'atath in WoW: The War Within.
After 12 days and 100s of wipes, World of Warcraft's latest world first raid ends in anticlimax: 'That's the boss?!?'
A photograph of the opening slide of a Microsoft lecture on Cooperative Vectors at GDC 2025
AMD, Intel, Microsoft, and Nvidia are all excited about cooperative vectors and what they mean for the future of 3D graphics, but it's going to be a good while before we really see their impact