The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.
Check Point Research has identified four vulnerabilities in the network library of Steam, the online platform from game developer Valve that is used by 25 million users to connect together at peak time to buy, play, create, and discuss PC games.
The platform hosts thousands of games, as well as downloadable content from major developers and indie game designers.
The vulnerabilities were found in the network library used by Steam, known as Steam Sockets, according to Check Point. The library is offered as part of a toolkit for third-party game developers, and the vulnerabilities were found on both Steam servers and on its clients, which are installed on a gamer’s PC, Checkpoint said.
Check Point said it shared its findings with Valve in September. After three weeks, the fixes were shipped to different Valve games, the company said. To patch, Steam gamers were required to install the update before they could launch a game.
Valve informed Check Point Research that it had notified third-party game developers about the vulnerabilities, Check Point said.
The implications of a gaming attack
If left unpatched, an attacker could have used the security flaws to remotely crash an opponent’s game client and potentially take over a gamer’s computer and hijack all computers connected to a third-party game server. Popular Steam games include Counter Strike: Global Offensive, Dota2, and Half Life.
An attack is triggered by sending bursts of malicious packets to the opponent gamer, without any interaction from the opponent gamer, the security firm said. An attacker could have forced third-party game servers to take over all connected gamers, without any of them noticing.
“If exploited, these vulnerabilities would enable a variety of possible attacks,” Check Point said. “For example, an attacker could remotely crash an opponent’s game client to force a win or even perform a ‘nuclear rage quit’ and crash the Valve game server to end the game completely. Potentially even more damaging, attackers could remotely take over third-party developer game servers to execute arbitrary code.”
Video games have reached an all-time-high during the coronavirus pandemic, making them a prime breeding ground for attackers, said a Check Point security researcher, Eyal Itkin.
“With millions of people currently playing online games, even the slightest security issue can be a serious concern for gaming companies and gamer privacy,” Itkin said in a statement. “Through the vulnerabilities we found, an attacker could have taken over hundreds of thousands of gamer computers every day, with the victims being completely blind to it.”
Other attack scenarios include sabotaging online games, in which an attacker is able to crash the server at any time they please, forcing the game to stop for all gamers at once, Itkin said.
How to stay safe
Popular online platforms are a prime target for attackers. “Whenever you have millions of users logging into the same place, the power of a strong and reliable exploit raises exponentially,” Check Point said.
With the skyrocketing popularity and massive usage of video games throughout the coronavirus pandemic, the gaming industry should be subject to scrutiny, since the risk is very real and the impact may be as serious, Check Point advised. “Gamers should pay close attention to any games downloaded before September of this year.”
Valve gamers and third-party gamers are the two types of users affected, Check Point said. A user playing Valve’s games through Steam is already protected through the fix, and they should make sure they don’t have a notification about a pending update that they should install, the firm said.
The updates by Valve should block the game’s launch, Check Point said. However, users of third-party games should check that their game clients received an update in recent months. If not, they will need to contact the game developers to check when an update will be released, the firm advised.