Hackers Influenced Valve’s Online Games Using Vulnerabilities in the Steam Platform

The Check Point team has discovered vulnerabilities in the Steam gaming platform from Valve. The root of the problem lay in the Game Networking Sockets library (GNS or Steam Sockets).

GNS is the main online library used in a wide variety of games, including Valve’s own games (such as CS: GO, Dota2, Team Fortress 2) as well as third-party titles (such as Destiny 2).

Researchers found several vulnerabilities in Valve’s GNS implementation at once.

“The library can support communication both in P2P mode and in a centralized client-server mode. This factor has become a key factor, as this is how attackers can gain control over a computer connected to a third-party game server”, – Check Point researchers said.

Using vulnerabilities in GNS, hackers could carry out many different attacks that could have serious consequences. For example, an attacker could disable an opponent’s game client in order to win a match, or even provide a “spectacular” rage quit, completely shutting down Valve’s game server and making sure no one can play normally.

Let me remind you, by the way, that Check Point specialists hacked “Snake” prank game on Google Maps.

Experts say that the most dangerous situation is when users play a game created by third-party developers. In this case, the hacker could remotely compromise the game server in order to execute arbitrary code on it. As a result, the attacker gained access to personal data and personal information of other players.

Based on statistics from Steam, experts conclude that vulnerabilities in GNS put hundreds of thousands of players at risk every day, because in 2019 more than 95 million gamers were using Steam per month and got access to more than 34,000 games. And if earlier users were attacked by clicking on a link or downloading a file with malware, then in this case it was possible to become a potential victim of cybercriminals simply by entering the game.

In total, Check Point experts notified Valve of four vulnerabilities in GNS (CVE-2020-6016, CVE-2020-6017, CVE-2020-6018 and CVE-2020-6019), and back in September 2020, Valve engineers promptly eliminated all bugs.

“We recommend that users update third-party games. Particular attention should be paid to games downloaded before September 4, 2020 – on this day Valve released a patch for the Steam library”, — said Check Point Software Technologies representatives.

Let me remind you of an interesting case when DDoS attacks on Ubisoft almost completely stopped after company threatens with a lawsuit.