Researchers discover nasty Steam security loophole that Valve allegedly initially brushed off

    
33

We all know that Steam is a pretty popular program for gamers, with over 100 million registered users and millions of people online at any given hour, and a userbase so fervent they’re willing to harass people who would launch on similar distribution platforms. So imagine, then, what it would be like if this popular program had an exploitable system access loophole and the company that owns said program decided to shrug at its discovery.

That’s the reality addressed in a blog post from Bleeping Computer that elaborates on a privilege escalation vulnerability in Steam. This particular vulnerability is pretty insidious, as it allows an attacker with limited permissions to run a program as an administrator. The blog even goes in to detail on how the loophole works and shares one researcher’s proof-of-concept script that uses the flaw.

Here’s how MOP’s Andy McAdams explained it to us: “What this exploit does is basically provides a link to Steam that Steam thinks it needs to run, even though it could be a virus or keylogger or botnet or whatever, and runs it as System. So now that baddie program is running in the background, doing all kinds of stuff that should require you to explicitly say is OK [with User Access Control permissions] without your knowing it’s happening. It’s not an especially difficult exploit to use either.”

Alarmingly, this exploit is apparently not unknown to Valve. When the discovery was brought to Valve’s Bug Bounty Program on HackerOne, the company reportedly did not award a bounty and simply told the researchers they were not allowed to disclose their findings. The writer of the proof-of-concept script has also allegedly had the same wall thrown up in front of him when he reached out to Valve. Additionally, the author of the Bleeping Computer piece says Valve did not respond to press inquiries this week but that a source did state HackerOne is reopening the bug report for further investigation.

source: Bleeping Computer. With thanks to fervorbliss for the tip!

33
LEAVE A COMMENT

Please Login to comment
  Subscribe  
newest oldest most liked
Subscribe to:
Reader
Jeremy Barnes

Wow, that 1st paragraph. Is that the sort of coverage we can expect from Massively going forward? I mean, we’ve been getting it with Stay Citizen and Wildstar already so I guess.

Reader
Maklah

My thoughts exactly

Reader
Dane Ford

This is a total misrepresentation of how hackerone works. Valve didn’t reject or brush off anything. You submit the bugs to hackerone, they decide if it’s in or out of scope.

If it’s in scope they pass it along to valve who then pays. If it’s not in scope then you get told so, like this gentleman was.

The mischaracterization shouldn’t be that surprising I suppose after reading the leading paragraph. I get it, entitled whiney gamers and all that. Let’s try to be at least factual with our pandering.

Bereman
Reader
Bereman

I suppose to better represent how HackerOne works, they should have mentioned how it was that organization that decided it was ineligible for reasons that didn’t actually apply to the vulnerability not once, but twice.

Maybe read more into the original discovery of the vulnerability, their reporting of it to HackerOne, and all that jazz, before you drop in with the patronizing attitude, eh?

Reader
silverlock

I think your expecting to much from Team Gabe.

Reader
Dane Ford

Maybe you misunderstand me.

I’m not defending HackerOne. I’m not saying it was in OR out of scope. They determined it was out of scope for reasons baffling to me. Total agreement.

What I’m saying, sir, is that to shift the onus onto Valve misrepresents how bug bounty programs work. Valve didn’t, as the article puts it “shrug at its discovery.”

HackerOne, for whatever reason, did. This is their screwup. So when I see a journalist totally whiff on something because they either don’t understand what they are reading or failed to perform any due diligence at all, it irritates me.

As far as being patronizing, that wasn’t my intent. I intended to be straightforwardly antagonistic. My apologies.

Edit: Also I’m not a Valve fanboy, like, you can be pissed at them for plenty of super valid reasons. Not really making games, the revenue split, the ui, whatever. This isn’t one of them.

Reader
traja

I have no idea how all of this works but the description on the HackerOne site for Valve definitely makes it sound like Valve is the decision maker. Whether that is true or not I don’t know but a lay person will easily get that impression when reading things like this:

“Valve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.”

Reader
Dane Ford

You are absolutely correct. Valve is the decision-maker, and it can decide basically whatever it wants with a caveat.

It goes through HackerOne first, as Valve (as most big companies do), have HackerOne fully manage there bug bounty program. HackerOne uses its discretion on whether or not something is valid, in or out of scope. The things HackerOne staff feel is in-scope and valid gets submitted to Valve. Valve is the final decision-maker for everything you just said, but it has to reach them first.

In this specific case, HackerOne staff decided that it was out-of-scope. It never reached Valve. I know not everyone does bug bounties, or even know what they are, so here’s a link that describes how it operates on HackerOne. I’ve only ever worked with BugCrowd, but it works much the same way.

More Info Here

MilitiaMasterV
Reader
MilitiaMasterV

Reminds me of why I don’t use steam to begin with…since it’s an ugly monopoly and I don’t support those practices and boycott them everywhere I notice one.

Reader
Axetwin .

Valve does not, nor has it ever had a monopoly with Steam. You really should look into what an actual monopoly is.

semugh
Reader
semugh

monopoly?
What about gog? Itch? gamejolt?

Reader
Loyal Patron
Patreon Donor
Kickstarter Donor
Makhiel

There’s a slew of games that you cannot buy outside of Steam, if monopoly is the wrong word for it what’s the right one?

Reader
Axetwin .

Such as? Outside of Valve’s first part titles, I mean. Anything from the past 7-8 years?

Reader
Loyal Patron
Patreon Donor
Kickstarter Donor
Makhiel

Off the top of my head – the Eternal CCG, Golf with Your Friends, Destiny 2 is heading to Steam as it switches to F2P, the Jurassic World Tycoon (whatever it’s called), House Flipper, Viscera Cleanup Detail, Subnautica?, They Are Billions, …

(Granted, some of those are available on Switch, XBox and what not but I only have a PC)

Reader
zaber

Still Valve is not paying them to be on Steam only. Subnautica is on Epic store too. Destiny 2 I bet will hit on Epic store or Discord at some point just Epic, and Discord may not have many back end that Steam still have. In a long run GoG is best option for none online games as DRM free games much better for gamers over all then lockdown stores, that one day may end up going away.

Reader
zaber

Games not made by Valve are free to move outside of Steam to sell their games. If Steam pays off dev to stay on their store so no one can have it other with them. Then that being a monopoly or going that way, but not see any case of it. Pretty much what Epic is trying to do is being a monopoly even down to the engine being used by tons top AAA games. I do agree monopoly is bad but people don’t really care as long set their needs or they would move from windows a long time ago.

MilitiaMasterV
Reader
MilitiaMasterV

Actually, that ‘Epic’ store is finally providing some competition to steam, which would make it less of a monopoly. I spent the last few months looking for another game, and kept finding a bunch of them only available through steam…so I’m not able to play em. -shrugs- Not my problem if they want to lose customers by being steam exclusive…

Reader
zaber

Epic is competition not only to steam, to gog and discord and so on. Does not make epic less a monopoly if they keep buying rights to games just to get people to user their Luncher, but does not let Dev sell the other games outside of a contact. Does not mean the game never hit steam only a few games won’t be on steam as epic pay full amount for them. On Steam only people that why lose is people don’t care about monopoly they just hate steam for some reason. Same as me epic losing customer, but I dont hate epic more then why should I trade one DRM store for another other. I end up going gog as I know they bring something new to the table then epic.

Reader
Tuor of Gondolin

OMG! I’m never using Steam again!

Okay, I’m lying.

Reader
silverlock

Privilege escalation is old school hacking how did something like this even get overlooked for so long in this day and age. Really theirs no excuse for this bug existing in the first place.

Reader
Utakata

Handle: Valve
Email: Steam@gmail.com
Password: gabenewell

o.O

Reader
Patreon Donor
Loyal Patron
Schlag Sweetleaf

.

security breach.jpg
Reader
Utakata

That kinda reminds me of Peter Gabriel’s, Shock the Monkey vid. o.O

Reader
Kickstarter Donor
Patreon Donor
zoward

The way I read this on the tech sites was that HackerOne handles bug bounties for Valve. HackerOne are the ones who are downplaying this, not Valve. When the submitter tried to sidestep HackerOne and approach Valve directly with this, they were told that HackerOne handles all bug bounty submissions. Now that Valve’s name is being dragged through the mud over it, though, maybe they’ll step in and have a closer look.

Reader
Witches

By now everyone should know Steam is above mundane stuff like huge security issues, they only answer to public outcry, once a lot of people start complaining everywhere on social media, they’ll do something, or pretend to.

Reader
3dom

TL;DR Steam client is a giant backdoor currently. Watch the URLs you click.

I imagine Epic store management is swimming in champagne pools at the moment – celebrating the news. I mean – in bigger pools of champagne than they usually use since Fortinite BR release.