Security Firm Report Reveals Steam Loopholes

News
By published

The thought that there may be a Steam vulnerability is probably panic-inducing to many PC gamers, especially those who've saved their credit card information to their account.

Not to worry, your credit card information is safe.

According to a report by security firm ReVuln, Steam browser URLs, usually used to install and run games, can be exploited to launch unwanted programs. Safari users are particularly in danger of this happening, as the browser doesn't ask for user permission before programs are launched.

The report then delineates ways to exploit Steam via the Source and Unreal engines. For instance, games like APB Reloaded, because they use anti-cheat programs such as PunkBuster, require administrator access. If users give administrative access to APB Reloaded, exploiters can be granted access to the entire system.

The report then concludes with some temporary workarounds to prevent the exploit. Hopefully, Valve is hard at work with a solution.

Contact Us for News Tips, Corrections and Feedback

TOPICS
More about cloud gaming

Most GeForce Now tiers are currently sold out — Nvidia blames high demand for unavailability

Nvidia squeezes GeForce Now users for more cash with 100-hour monthly playtime limit — Nvidia will charge $5.99 for 15 extra hours for the Ultimate tier and $2.99 for the Performance tier

Russia's Baikal has produced 85,000 of its CPUs since 2012, aims for more
See more latest
21 Comments Comment from the forums
  • nebun
    what happened with Safari being a part of the the most secure OS in the world....FAIL
    Reply
  • echondo
    For instance, games like APB Reloaded, because they use anti-cheat programs such as PunkBuster, require administrator access. If users give administrative access to APB Reloaded, exploiters can be granted access to the entire system.

    No, you're giving administrator access to PunkBuster, not APB.

    Also, people who are smart and know how to secure their passwords have at least a 10 character password for their Steam account with Steam Guard enabled AND have it linked to their Gmail with a DIFFERENT 10 character password and Gmail has their phone number for the access code when the Gmail account is trying to be accessed on a different computer.

    Also, most of us even go through another setup where we put a backup email linked to our Gmail one with a 3rd 10 character password if we need to get out primary Gmail account back.

    If you don't have it setup this way and are not using the Steam Wallet codes, then you're just asking for trouble.
    Reply
  • Kami3k
    Wait, this seems to have nothing to do with Steam but the games that are on Steam.
    Reply
  • cRACKmONKEY421
    In the comments above, not sure what this has to do with safari. I don't think it has to do with passwords or being logged into your steam account either.

    I think it's just saying steam has vulnerabilities when using the steam URL handler. This means someone could somehow give you a steam://link.whatever (which is normally just a link to start a game), you just click it in whatever browser you have, then code runs without any other user intervention. The potential is always really bad, but how easy a real attack would be is not at all described.
    Reply
  • A Bad Day
    URLs? I recall last year, there was a bank that had a major online accounts breach. The hackers discovered they could bypass all of the security by simply changing the numbers in the URL, thus automatically logging them into random accounts.

    Logically, they built a random number generator tailored for the website, and they broke into over 100k accounts, but only stole a few million for some reason.

    The bank's website designer said, "If we add security, it will break features."
    Reply
  • aftcomet
    nebunwhat happened with Safari being a part of the the most secure OS in the world....FAIL
    Everything's secure until someone decides to break into it.
    Reply
  • lpedraja2002
    echondo not everyone is as paranoid as you and not everyone uses Gmail. But still, thanks for the information I will try and implement it to my benefit.
    Reply
  • panini
    nebunwhat happened with Safari being a part of the the most secure OS in the world....FAIL
    Maybe the reason it doesn't ask for permission is because the OS is so secure?
    Reply
  • mugiebahar
    Safari is an OS?
    Reply
  • amuffin
    mugiebaharSafari is an OS?:lol:
    Reply
Most Popular
Baikal Electronics
Russia's Baikal has produced 85,000 of its CPUs since 2012, aims for more
Core Ultra 200S CPU
Intel IPO delivers better gaming performance than 200S Boost in user benchmarks
A lobster on the beach.
Despite Nvidia claims, Chinese smugglers have used live lobsters and fake baby bumps to traffic chips
Boox Mira Pro (Color)
Boox debuts 23.5-inch color E ink monitor with 1800p resolution and $1,900 price tag
Penguin + Excel
Developer gets Linux running inside Microsoft Excel, 'mostly for fun'
xMEMS Labs micro cooling fan
Tiny cooling fan-on-a-chip designed for phones to be deployed in AI data centers
Wyze Cam Floodlight 2
Wyze gets $255K tariff bill for $167K worth of floodlights
Microsoft
Microsoft hikes prices of Xbox consoles, controllers, headsets, and games worldwide - cites market conditions and price of development
8Bitdo SN30 Pro Wireless Bluetooth Controller
8BitDo backs down after blaming tariffs for suspension of China warehouse shipments to the U.S.
Stock image of a data center
UK company allegedly paid $4m in bribes to secure Microsoft data center construction contract