All Discussions > Steam Forums > Steam Discussions > Topic Details
REALiNSaNgAMingGODPrODIgY Jul 4, 2023 @ 10:05pm
how are games with a rce exploit still legaly allowed to be sold or have a online server
like bo2 for example, activison won't fix online and people fixed it and then they closed them but now the online servers have the rce hack so now what.


can someone from a business background explain to me what is happening with online in older games and how legal works.


the point of this post is 1. companys should fix the security of the games if they run the servers for them. 2. let the community fix them or have a community server tab like most games have and 3. shut down the online for peoples safety.



like how am i a gamer care more about others than a AAA company.
Last edited by REALiNSaNgAMingGODPrODIgY; Jul 4, 2023 @ 10:09pm
< >
Showing 1-15 of 15 comments
Qbert ⭐ Jul 4, 2023 @ 10:21pm 
Source?
#1
Squirrel With Acorn Jul 4, 2023 @ 10:24pm 
Valve doesn't take security very seriously, for example how they allowed an exploit to exist in Steam client for 10 years that would allow hackers to take over the users PCs through Steam, or how Valve banned a security researcher from Valve's bug bounty program after he reported to them serious security vulnerabilities 2 times and Valve only doing something about it after the public got word about the BS they pulled.
#2
Qbert ⭐ Jul 4, 2023 @ 10:27pm 
Source?
#3
Mega Ultra Chicken Jul 4, 2023 @ 10:40pm 
They should just take down the public servers for these games in my opinion if they don't want to fix them. Let people play on private servers, but still keep the single player campaign playable.
Last edited by Mega Ultra Chicken; Jul 4, 2023 @ 10:43pm
#4
Wolfpig Jul 4, 2023 @ 11:14pm 
If everyone would stop buying those games year after year the devs/publisher actually would care and do something.

But as everyone buys knowing that it is the same as always....
#5
cSg|mc-Hotsauce Jul 4, 2023 @ 11:24pm 
Originally posted by Qbert ⭐:
Source?

CoD is known for RCE exploits on the older games.

https://steamcommunity.com/discussions/forum/0/4652759797630842960/

:summercat2023:
#6
Reported. Jul 4, 2023 @ 11:41pm 
Originally posted by Qbert ⭐:
Source?

https://www.bleepingcomputer.com/news/security/cs-go-valve-source-games-vulnerable-to-hacking-using-steam-invites/

Valve has some policies that go against normal security practise.
Last edited by Reported.; Jul 4, 2023 @ 11:42pm
#7
RiO Jul 4, 2023 @ 11:58pm 
Originally posted by Qbert ⭐:
Source?
Originally posted by Qbert ⭐:
Source?

https://arstechnica.com/information-technology/2023/02/game-mode-exploits-high-severity-flaw-that-went-unpatched-in-dota-2-for-months/

https://nvd.nist.gov/vuln/detail/CVE-2015-7985

https://www.zdnet.com/article/researcher-publishes-second-steam-zero-day-after-getting-banned-on-valves-bug-bounty-program/

https://www.theregister.com/2018/11/09/valve_steam_key_vulnerability/


Among others...
Last edited by RiO; Jul 4, 2023 @ 11:58pm
#8
Yojimbo Jul 6, 2023 @ 2:49am 
k
#9
Mega Ultra Chicken Jul 6, 2023 @ 3:12pm 
VPNs don't do anything against RCEs btw
#10
davidb11 Jul 6, 2023 @ 3:47pm 
Originally posted by BlueCanine:
Valve doesn't take security very seriously, for example how they allowed an exploit to exist in Steam client for 10 years that would allow hackers to take over the users PCs through Steam, or how Valve banned a security researcher from Valve's bug bounty program after he reported to them serious security vulnerabilities 2 times and Valve only doing something about it after the public got word about the BS they pulled.

Please don't spread false claims.

it's not cool.

As for a game with RCE, certainly there are other ways to fix it. Besides have Valve do it.
#11
Weimu Jul 6, 2023 @ 3:54pm 
Originally posted by davidb11:
As for a game with RCE, certainly there are other ways to fix it. Besides have Valve do it.
sure, but tbh i'm of the opinion these games should be taken off the store by valve until the developer/publisher fixes them, and only AFTER its been fixed, that or they take servers for those games offline, like fromsoftware/bandai did for the souls games when they had an rce vulnerability
#12
RiO Jul 6, 2023 @ 3:57pm 
Originally posted by davidb11:
Originally posted by BlueCanine:
Valve doesn't take security very seriously, for example how they allowed an exploit to exist in Steam client for 10 years that would allow hackers to take over the users PCs through Steam, or how Valve banned a security researcher from Valve's bug bounty program after he reported to them serious security vulnerabilities 2 times and Valve only doing something about it after the public got word about the BS they pulled.

Please don't spread false claims.

it's not cool.

As for a game with RCE, certainly there are other ways to fix it. Besides have Valve do it.

Whether or not they take security seriously is debatable; but the remainder of what BlueCanine posted is verifiable via public news posts. I already cited the coverage ZDNet did of the case. Look for my prior post in this thread.

The particular exploit they're referring to was a trivially exploitable privilege escalation that would instantly give any malware full system access. And yes; HackerOne - the org running Valve's bug bounty program - did kick the researcher who tried to report this to them after he resubmitted the same report to them a second time over, trying to explain its seriousness.

Valve and HackerOne initially literally told said researcher they didn't consider it a security vulnerability under the bounty program, because it required a machine to already have malware on it such that it could execute code with local account permissions. They didn't consider the elevation from a limited user account to full system and kernel access, a security hole.

Which, well.. that does kind of go towards the claim that Valve doesn't take security very seriously, now doesn't it?
Last edited by RiO; Jul 6, 2023 @ 3:59pm
#13
davidb11 Jul 6, 2023 @ 4:00pm 
Originally posted by RiO:
Originally posted by davidb11:

Please don't spread false claims.

it's not cool.

As for a game with RCE, certainly there are other ways to fix it. Besides have Valve do it.

Whether or not they take security seriously is debatable; but the remainder of what BlueCanine posted is verifiable via public news posts.

The particular exploit they're referring to was a trivially exploitable privilege escalation that would instantly give any malware full system access. And yes; HackerOne - the org running Valve's bug bounty program - did kick the researcher who tried to report this to them after he resubmitted the same report to them a second time over, trying to explain its seriousness.

Valve and HackerOne initially literally told said researcher they didn't consider it a security vulnerability under the bounty program, because it required a machine to already have malware on it such that it could execute code with local account permissions. They didn't consider the elevation from a limited user account to full system and kernel access, a security hole.

Which, well.. that does kind of go towards the claim that Valve doesn't take security very seriously, now doesn't it?

I mean, none of that makes sense ever, because no one is dumb enough to claim those things.
LOL.
Everyone who would not take that as a serious issue would be fired, and then fired out of a canon into a volcano.
#14
RiO Jul 6, 2023 @ 4:15pm 
Originally posted by davidb11:
Originally posted by RiO:

Whether or not they take security seriously is debatable; but the remainder of what BlueCanine posted is verifiable via public news posts.

The particular exploit they're referring to was a trivially exploitable privilege escalation that would instantly give any malware full system access. And yes; HackerOne - the org running Valve's bug bounty program - did kick the researcher who tried to report this to them after he resubmitted the same report to them a second time over, trying to explain its seriousness.

Valve and HackerOne initially literally told said researcher they didn't consider it a security vulnerability under the bounty program, because it required a machine to already have malware on it such that it could execute code with local account permissions. They didn't consider the elevation from a limited user account to full system and kernel access, a security hole.

Which, well.. that does kind of go towards the claim that Valve doesn't take security very seriously, now doesn't it?

I mean, none of that makes sense ever, because no one is dumb enough to claim those things.
LOL.
Everyone who would not take that as a serious issue would be fired, and then fired out of a canon into a volcano.

Yet, it still happened.
Go look for the case details.

Because the researcher went public with the exploit, Valve's hand was forced and they had to fix it after all:
https://store.steampowered.com/oldnews/53319
#15
< >
Showing 1-15 of 15 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Discussions > Topic Details
Date Posted: Jul 4, 2023 @ 10:05pm
Posts: 15
Start a New Discussion

Discussions Rules and Guidelines