Critical zero-day vulnerability on Steam online gaming platform

The gamer community is not safe from cyberattacks, as there are multiple groups of malicious hackers that consider it a hunting territory for economic gain or cause disruptions on some platforms or against users. This time, a web application security expert claims to have discovered critical zero-day vulnerability in the Windows client of the popular online video game platform Steam.

According to Vasily Kravets, the expert in charge of the finding, the vulnerability resides in Steam Customer Service and, if exploited, would allow threat actors to execute arbitrary code with LocalSystem privileges just by using a few commands. “A user without administrator privileges could easily exploit this device to start or stop Steam Customer Service,” he says.

This Steam feature sets permissions on different registry keys by default, so any malicious user could establish a link between one of those keys and another belonging to an external service. If successful, the attacker will be able to stop or start the service at will.

The web application security expert claims that he notified Steam developers Valve Software of the vulnerability since June 15, all through the HackerOne platform. Kravets also mentions that he attached in the report a detailed description of the attack, a proof of concept and an executable file.

In response, HackerOne notified Kravets that the vulnerability had been rejected because it’s “an attack depending on the ability to place files in arbitrary locations on the user’s file system, so it is beyond the scope of the vulnerability reporting program.”

However, the web application security expert insisted that the vulnerability was exploitable, so he discussed the case with HackerOne staff until one of the platform managers decided to try to reproduce the exploit. Subsequently, the vulnerability was confirmed and the report was sent to Valve Software again.

To Kravets’ bad fortune, the story doesn’t end there. A couple of weeks ago the expert received a message from a third HackerOne employee notifying him that the reported vulnerability was out of scope. The reasons HackerOne argued for placing this flaw as ‘out of scope this time were: “attacks that require the ability to place files in arbitrary locations on the user’s file system” and “attacks that require physical access to the user’s device”. After this new refusal, the expert decided to publicly disclose the details of this flaw.

After notifying HackerOne of his decision, the expert received a new message from the platform, which prohibited him from disclosing the vulnerability. Still, the expert revealed details about the failure on August 7, hoping the company would implement some upgrade or update.

“This is a sign of the little interest that big tech companies have for the safety of their users,” Kravets said. “They don’t really care about fixing their flaws; companies don’t do anything until they’re forced to do it.”

According to specialists from the International Institute of Cyber Security (IICS), in early 2019 a web application security team notified Steam of a vulnerability exploited by some hackers to take control over hundreds of users’ accounts, thereby stealing sensitive information and infecting with malware the compromised systems. The company even paid a $25k USD bounty to the hacker who reported the exploit to get free games on the platform last year.