Security Firm Report Reveals Steam Loopholes

The thought that there may be a Steam vulnerability is probably panic-inducing to many PC gamers, especially those who've saved their credit card information to their account.

Not to worry, your credit card information is safe.

According to a report by security firm ReVuln, Steam browser URLs, usually used to install and run games, can be exploited to launch unwanted programs. Safari users are particularly in danger of this happening, as the browser doesn't ask for user permission before programs are launched.

The report then delineates ways to exploit Steam via the Source and Unreal engines. For instance, games like APB Reloaded, because they use anti-cheat programs such as PunkBuster, require administrator access. If users give administrative access to APB Reloaded, exploiters can be granted access to the entire system.

The report then concludes with some temporary workarounds to prevent the exploit. Hopefully, Valve is hard at work with a solution.

_{Contact Us for News Tips, Corrections and Feedback}

Topics

Gaming

Software

Valve

21 Comments Comment from the forums

nebun

what happened with Safari being a part of the the most secure OS in the world....FAIL
Reply
echondo

For instance, games like APB Reloaded, because they use anti-cheat programs such as PunkBuster, require administrator access. If users give administrative access to APB Reloaded, exploiters can be granted access to the entire system.

No, you're giving administrator access to PunkBuster, not APB.

Also, people who are smart and know how to secure their passwords have at least a 10 character password for their Steam account with Steam Guard enabled AND have it linked to their Gmail with a DIFFERENT 10 character password and Gmail has their phone number for the access code when the Gmail account is trying to be accessed on a different computer.

Also, most of us even go through another setup where we put a backup email linked to our Gmail one with a 3rd 10 character password if we need to get out primary Gmail account back.

If you don't have it setup this way and are not using the Steam Wallet codes, then you're just asking for trouble.
Reply
Kami3k

Wait, this seems to have nothing to do with Steam but the games that are on Steam.
Reply
cRACKmONKEY421

In the comments above, not sure what this has to do with safari. I don't think it has to do with passwords or being logged into your steam account either.

I think it's just saying steam has vulnerabilities when using the steam URL handler. This means someone could somehow give you a steam://link.whatever (which is normally just a link to start a game), you just click it in whatever browser you have, then code runs without any other user intervention. The potential is always really bad, but how easy a real attack would be is not at all described.
Reply
A Bad Day

URLs? I recall last year, there was a bank that had a major online accounts breach. The hackers discovered they could bypass all of the security by simply changing the numbers in the URL, thus automatically logging them into random accounts.

Logically, they built a random number generator tailored for the website, and they broke into over 100k accounts, but only stole a few million for some reason.

The bank's website designer said, "If we add security, it will break features."
Reply
aftcomet

nebunwhat happened with Safari being a part of the the most secure OS in the world....FAIL
Everything's secure until someone decides to break into it.
Reply
lpedraja2002

echondo not everyone is as paranoid as you and not everyone uses Gmail. But still, thanks for the information I will try and implement it to my benefit.
Reply
panini

nebunwhat happened with Safari being a part of the the most secure OS in the world....FAIL
Maybe the reason it doesn't ask for permission is because the OS is so secure?

Reply
mugiebahar

Safari is an OS?
Reply
amuffin

mugiebaharSafari is an OS?:lol:
Reply

Show more comments

Be In the Know