We all know that Steam is a pretty popular program for gamers, with over 100 million registered users and millions of people online at any given hour, and a userbase so fervent they’re willing to harass people who would launch on similar distribution platforms. So imagine, then, what it would be like if this popular program had an exploitable system access loophole and the company that owns said program decided to shrug at its discovery.
That’s the reality addressed in a blog post from Bleeping Computer that elaborates on a privilege escalation vulnerability in Steam. This particular vulnerability is pretty insidious, as it allows an attacker with limited permissions to run a program as an administrator. The blog even goes in to detail on how the loophole works and shares one researcher’s proof-of-concept script that uses the flaw.
Here’s how MOP’s Andy McAdams explained it to us: “What this exploit does is basically provides a link to Steam that Steam thinks it needs to run, even though it could be a virus or keylogger or botnet or whatever, and runs it as System. So now that baddie program is running in the background, doing all kinds of stuff that should require you to explicitly say is OK [with User Access Control permissions] without your knowing it’s happening. It’s not an especially difficult exploit to use either.”
Alarmingly, this exploit is apparently not unknown to Valve. When the discovery was brought to Valve’s Bug Bounty Program on HackerOne, the company reportedly did not award a bounty and simply told the researchers they were not allowed to disclose their findings. The writer of the proof-of-concept script has also allegedly had the same wall thrown up in front of him when he reached out to Valve. Additionally, the author of the Bleeping Computer piece says Valve did not respond to press inquiries this week but that a source did state HackerOne is reopening the bug report for further investigation.
Steam Zero-Day Vulnerability Affects Over 100 Million Users – by @LawrenceAbramshttps://t.co/HLOFqLCLKt
— BleepingComputer (@BleepinComputer) August 8, 2019