Valve Fixes Steam Crypto Bug That Exposed Passwords in Plaintext

Share this…

19-year-old college student fixes Steam’s crypto. Valve has updated the Steam gaming client to fix a severe security issue in the application’s crypto package. Under certain conditions, this issue would have allowed an attacker to view a user’s password in plaintext if observing network traffic when the victim was authenticating on the platform.

Security researcher Nathaniel Theis (XMPPwocky) is the one who discovered the issue and also came up with an advanced technical write-up detailing the attack’s steps.

To understand the attack, users first need to know how Steam’s cryptography works. Valve designed the Steam crypto module to keep data secret and to authenticate connections so that nobody can pass as another user.


Steam keeps data secret by encrypting all sensitive traffic with a session key. This session key is generated with an AES-256-CBC algorithm, encrypted with RSA-1024 plus a hardcoded public key, and then sent to Steam’s servers, where it is decrypted and used to decrypt traffic coming from the user.

Steam encrypted traffic was susceptible to MitM attacks

Researchers explained that the “secret” part of Steam’s encryption system was not the problem, but the “authentication” part was, about which they said Valve failed to protect using an MAC (Message Authentication Code).

The lack of an MAC allows a third-party to carry out man-in-the-middle (MitM) attacks that could get victims VAC-banned or even expose passwords in plaintext. Theis said the last part was possible because of a so-called oracle attack that leaks data via the encryption’s padding field.

The researcher reported the issue to Valve at 3:12 AM, and he claimed that, by 2:45 PM on the same day, the company had already deployed a partial fix, with a complete fix added at a later time.

Theis received help from a fellow researcher who goes by the name of Zemnmez, and they both received the Burning Flames Finder’s Fees from Valve. The company also inducted Theis into Steam’s Security Hall of Fame.