Steam bug made it possible to take over accounts and infect users with malware
A vulnerability in Valve‘s Steam platform made it possible for malicious actors to take over user accounts, pilfer their items, and even infect their systems with additional malware.
The security kink resided in Steam‘s server browser functionality – which lets players look up severs for a number of games (including hit titles like CS:GO, Half-Life 2, and Team Fortress 2) – according to a HackerOne vulnerability disclosure made public on March 15.
The security researchers who unearthed the bug note they were only able to exploit the attack vector on Steam‘s client for Windows. They further said the bug was also present in Steam for Linux and Apple’s OS X, though they were unable to successfully exploit it on those systems.
“An attacker can successfully exploit a victim with a probability of 0.2 [percent], which is more than enough if we are talking about an attacker distributing this exploit massively to all Steam users ([one] new victim every 512 attempts [on] average),” the researchers wrote.
To make matters worse, it was possible to combine this vulnerability with others to make the attack vector even more efficient. “This vulnerability can be chained with another memory leak vulnerability to make it 100 [percent] reliable,” the researchers added.
To test out this hypothesis, the researchers intentionally set up their own malicious server.
“An attacker can execute arbitrary code on the computer of any Steam user who views the server info of our malicious server,” they wrote. “From there on, an attacker could do whatever he [or] she wants.” Among other things, the flaw allowed taking over accounts, stealing in-game items, exfiltrating documents, and even installing additional malware.
Don’t sweat it though, Valve has confirmed the flaw has since been patched on Windows, OS X, and Linux.
The disclosure report shows the researchers first outlined the issue last December. In return for their efforts, Valve awarded them with a $15,000 bug bounty and an additional $3,000 bonus. Not a bad payday.
It remains unclear whether hackers were able to exploit the attack vector before Valve fixed it. We’ve reached out to the game-maker for further comment, and will update this piece accordingly if we hear back.