This was like, over a decade back, I don’t remember it in accurate detail, and also, Garry deleted all the old Facepunch forums, which I do remember having a lot of discussion about this…

But, best I can recall, it was something like a buffer overflow/memory space exploit, because Garry exposed a core Steam function, that normally is only called by other Steam functions, in c++…

Well, Garry decided to give basically a lua api / reference method of accessing it directly, allowing doing arbitrary code injection into it, from anyone running a GMod server or networked client.

So I mean yeah, you can say Valve should not have trusted Garry with low level access to Source and Steam, that that’s their bad, they should have expected he would create a serious security exploit out of naivette/hubris, like the proverbial junior sql db admin who just does ‘DROP ALL’ on prod, as an ‘experiment’.

Uh yep, I would agree with that.

… I think this may have had something to do with Steam’s, fairly new at the time, achievements system roll out, but I’m not sure if that’s correct.

EDIT:

For those that don’t know, the vast, vast majority of what GMod is, is basically just opening up core Steam/Source calls done in C++, opening those up to Lua, by mapping them with reference methods, and then allowing Lua scripting via those methods.

Then on top of that, you draw like, the item spawning menu, tool menus, make a standardized template for making a new tool or weapon (SWEPs) or entities, or players or NPCs, etc.

So uh, yeah, if you’re not careful with that, if you don’t know what you’re doing at the lowest level, that can be very dangerous and easily lead to uh, unforseen consequences.