The gamer community is not safe from cyberattacks, as there are multiple groups of malicious hackers that consider it a hunting territory for economic gain or cause disruptions on some platforms or against users. This time, a web application security expert claims to have discovered critical zero-day vulnerability in the Windows client of the popular online video game platform Steam.
According to Vasily Kravets, the expert in charge
of the finding, the vulnerability
resides in Steam Customer Service and, if exploited, would allow threat actors
to execute arbitrary code with LocalSystem privileges just by using a few commands.
“A user without administrator privileges could easily exploit this device
to start or stop Steam Customer Service,” he says.
This Steam feature sets permissions on
different registry keys by default, so any malicious user could establish a
link between one of those keys and another belonging to an external service. If
successful, the attacker will be able to stop or start the service at will.
The web application security expert claims that
he notified Steam developers Valve Software of the vulnerability since June 15,
all through the HackerOne platform. Kravets also mentions that he attached in
the report a detailed description of the attack, a proof of concept and an
executable file.
In response, HackerOne notified Kravets that the
vulnerability had been rejected because it’s “an attack depending on the
ability to place files in arbitrary locations on the user’s file system, so it
is beyond the scope of the vulnerability reporting program.”
However, the web application security expert insisted
that the vulnerability was exploitable, so he discussed the case with HackerOne
staff until one of the platform managers decided to try to reproduce the
exploit. Subsequently, the vulnerability was confirmed and the report was sent
to Valve Software again.
To Kravets’ bad fortune, the story doesn’t end
there. A couple of weeks ago the expert received a message from a third
HackerOne employee notifying him that the reported vulnerability was out of scope.
The reasons HackerOne argued for placing this flaw as ‘out of scope this time
were: “attacks that require the ability to place files in arbitrary
locations on the user’s file system” and “attacks that require
physical access to the user’s device”. After this new refusal, the expert
decided to publicly disclose the details of this flaw.
After notifying HackerOne of his decision, the
expert received a new message from the platform, which prohibited him from
disclosing the vulnerability. Still, the expert revealed details about the
failure on August 7, hoping the company would implement some upgrade or update.
“This is a sign of the little interest
that big tech companies have for the safety of their users,” Kravets said.
“They don’t really care about fixing their flaws; companies don’t do
anything until they’re forced to do it.”
According to specialists from the International
Institute of Cyber Security (IICS), in early 2019 a web application security
team notified Steam of a vulnerability exploited by some hackers to take
control over hundreds of users’ accounts, thereby stealing sensitive
information and infecting with malware the compromised systems. The company
even paid a $25k USD bounty to the hacker who reported the exploit to get free
games on the platform last year.
