Valve accused of ignoring existing RCE vulnerability in Source games for 2 years

> due to Valve's internal structure (or lack thereof) there really isn't any incentive for anyone to fix them

This seems to be a common theme with problems at Valve.

Game devs don't optimize for security, because they're not incentivised to.

Indeed, there's still plenty of these.

> CSGO player will tell you the anti-cheat doesn't work, I know first-hand.

> It is in my opinion the greatest loss to gaming that a classic, legendary game like Counter-strike got completely ruined by lack of care by a company that profits millions off of the case unboxings.

have you played the game in recent years? this has not been the case for me or the people I play with at all.

when playing on high trust-factor accounts, cheating is basically eliminated.

the experience for newer players is pretty bad but once you convince the system you're trustworthy, the algorithm does an extremely good job of not matching you with cheaters.

what valve lacks in boring, sensible solutions they make up for with interesting often much more complex workarounds (see: the open-world csgo danger-zone map shoved into a game with a room-based engine)

>and fiddled with by thousands of 14 year old kids

People think you're kidding, but it's really that easy on Source! For a while, the most popular TF2 (a Valve Source game) hack was created by a 15 year old. He made at least a million dollars in profit too! (can't remember if this factoid was verified or not, but he can definitely pay for college now) I wasn't as nearly as talented but I made some hacks for fun when I was 15 or 16 years old.

Video game cheats and anti-cheats are almost completely disjoint from remote code exploits like what are reported in the OP.

Normally, I can handle some cheating in games, you just kinda deal with it, but holy fuck csgo was just nope. Between foul mouthed children and essentially watching God hackers play against eachother while you just die over and over.

Yeah....no not exactly fun.

The outrageous profit Valve make from skins and the like is only half the story imo, their internal structure is the rest. Some of the stories ex-devs share from that place are just... idk, they explain the company’s apparent ineptitude

No anti cheat for FPS games has ever "worked", it can't. The best you can do is make it a little hard for the cheats to keep up with your detectors or protocol changes.

You found a video that says that they detect most old cheats from hl2 days and ban them and then the video just goes to show random github repos. What is that even supposed to prove? Theres nothing stopping anyone from creating repos with cheats that get detected or don't even work. Like it's just a super cringe "gotcha" type video

This matches my experience. Additionally, they prohibit disclosure in such cases, effectively making them complicit in delaying (best case) or in many cases completely suppressing disclosure.

No, anti-cheats in ring0 haven't eliminated cheaters, but that was never the point. The point is to make it more difficult to cheat. And they have succeeded in that. Check any cheat forum like unknowncheats. You'll see that most hackers now have to chain multiple (complex) exploits together to get their cheats working, only to get it patched by the anti-cheats a few days/weeks later. This is way more difficult and prone to detection than ReadProcessMemory was before anti-cheats went ring0.

It seems that a lot of people forgot about things like sony installing rootkits on peoples' PCs. Now it's accepted for gaming anti cheat software?

This is the way.

Many games package in outright spyware that siphon all kinds of data off your machine including browsing history. Kerbal Space Program was infamous for this (they removed the spyware at some point but I haven't checked recently if it was ever added back in).

This is one of the reasons I like gaming on GeForce NOW. I can use my primary laptop, play any game without having to install anything, instantly alt-tab back to the desktop between rounds without any weird bugs or crashes, etc.

Game companies literally think they have the right to own your machine. This is the kind of garbage they force gamers to install on their machines:

https://www.theregister.com/2016/09/23/capcom_street_fighter...

https://mobile.twitter.com/TheWack0lian/status/7793978407622...

Their software also takes screen shots, walks the file system, scans people's processes... Any similarities to malware may or may not be mere coincidences. They're also known for false positives: banning people for receiving special strings via text message, unknowingly installing mods with hacks bundled in or due to the presence of development tools such as debuggers or even virtual machines. Good luck trying to reverse such a ban, the entire gaming community has already been conditioned to accept any decision as final and to even defend this practice. When coupled with DRM, this essentially means your license to play the game has been revoked with no refunds.

> Some game companies (riot games) even install their anti-cheat software so that is loads in the ring 0 space.

Why are separate machines required, rather than dual-booting? (i.e. Windows for games, Linux for everything else)

I hope those separate machines are also on separate network segments without a route in between.

> There are also other reports of Valve not reacting to HackerOne reports appropriately

I'll second that.

I discovered and reported a vulnerability with the Steam client's Bluetooth pairing process via hackerone.

The issue was confirmed but decided "out of scope" as apparently "within bluetooth range" runs afoul of the bug bounty's "require physical access" exclusion.

8 months later (I haven't exactly kept on top of this) they're still demanding I keep it confidential. I'll follow it up...

HackerOne also at least strongly discourages publishing your findings if the developers refuse to take action.

https://www.hackerone.com/disclosure-guidelines states that "After the Report has been closed, Public disclosure may be requested by either the Finder or the Security Team." - so if the report just doesn't get closed, you can't disclose through the platform, and https://www.hackerone.com/policies/code-of-conduct says "Disclosing report information without previous authorization is not permitted."

To me, that seems that you're not permitted to disclose the issue at all until the report has been closed and either 1) 30 days have passed and the security team hasn't requested an extension, or 2) "180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline".

Due to this, I refuse to report through HackerOne.

floesen has posted a screenshot of the open ticket back in December. [1]

[1]: https://twitter.com/floesen_/status/1337107178096881666

Moreso, at some point it may be more responsible to exert real pressure and a time concern on them to fix it by revealing the flaw.

It depends on whether you think there's a reasonable chance that someone may be using that exploit by now. Carrot and stick approaches do not work without a reliable stick.

Edit: I suppose it also depends on how much you value going through the exact same process with valve for other bugs in the future. But in a situation like this it seems like little would be lost.

Absolutely! Going public is an important part of responsible disclosure

It would probably also be a shame when floesen_ got sued for an NDA violation and had to spend tens of thousands of dollars in civil court explaining that they got hacked and it's not their fault.