Zero-day vulnerability in the Steam online gaming platform client has been revealed. According to the ethical hacking researcher who discovered the flaw, this is the second zero-day vulnerability found on Steam in just a couple of weeks.
The first vulnerability, detected by the same Russian researcher, was reported in a timely manner to Valve, a company that owns Steam. However, the expert claims that he was unable to report this new flaw, as the company prohibited him from sending further bug reports through its rewards program at HackerOne.
These reports have generated great controversy in the cybersecurity community, with the company being the main target of criticism due to alleged unprofessional behavior by its employees and collaborators, by repeatedly rejecting the vulnerability report. In addition to rejecting the expert’s reports, the company has also refused to correct detected flaws, arguing that their exploitation is highly complex, mentioning ethical hacking experts.
After being again ignored by Valve, researcher Vasily Kravets tried to reveal the vulnerability to the public; however, a member of the HackerOne platform tried to prevent this, arguing that the company had no intention of correcting this flaw.
Kravets decided to ignore warnings from HackerOne members and post the flaw anyway. This local privilege escalation failure would have allowed other third-party applications or software to run code with administrator rights on the Steam client. In the end, Kravets mentioned that HackerOne expelled him from the platform for publishing the vulnerability report without authorization, however, the fire had begun and the report began to reach various members of the cybersecurity community, who pressed until Valve announced that the reported vulnerability would be corrected.
The problems for Valve did not end there, as a short time later an ethical hacking expert demonstrated that the patch released by the company was not an efficient solution, as it was relatively easy to bypass this security measure. These flaws were also reported to Valve, but ran with the same fate as Kravets, as the company has simply ignored community reports.
Bad experiences dealing with Valve led the expert to reveal the second zero day vulnerability on his own. Like the first flaw found, this is privilege escalation vulnerability in the Steam client that, if exploited as shown in the Kravets’ proof of concept, would allow a threat actor to obtain administrator rights through the Steam app. The company has not commented on this, although it must be said that this happens very rarely.
According to specialists in ethical hacking from the International Institute of Cyber Security (IICS), the company’s position is due to the company’s position, according to its policies, privilege escalation vulnerabilities are “out of reach” of its program of error reporting. Simply put, for Valve, these are not security flaws.
Despite the company’s stance, virtually the entire cybersecurity community views escalations of privilege as serious security drawbacks. “Valve has refused to fix these flaws, showing the company’s little interest in the security of the information of its more than 100 million users,” Kravets believes.