Zero-day vulnerability in the Steam online gaming platform client has been revealed. According to the ethical hacking researcher who discovered the flaw, this is the second zero-day vulnerability found on Steam in just a couple of weeks.
The first vulnerability, detected by the same Russian
researcher, was reported in a timely manner to Valve, a company that owns
Steam. However, the expert claims that he was unable to report this new flaw,
as the company prohibited him from sending further bug reports through its
rewards program at HackerOne.
These reports have generated great controversy
in the cybersecurity community, with the company being the main target of
criticism due to alleged unprofessional behavior by its employees and
collaborators, by repeatedly rejecting the vulnerability report. In addition to
rejecting the expert’s reports, the company has also refused to correct
detected flaws, arguing that their exploitation is highly complex, mentioning
ethical hacking experts.
After being again ignored by Valve, researcher
Vasily Kravets tried to reveal the vulnerability to the public; however, a
member of the HackerOne platform tried to prevent this, arguing that the
company had no intention of correcting this flaw.
Kravets decided to ignore warnings from HackerOne
members and post the flaw anyway. This local privilege escalation failure would
have allowed other third-party applications or software to run code with
administrator rights on the Steam client. In the end, Kravets mentioned that
HackerOne expelled him from the platform for publishing the vulnerability
report without authorization, however, the fire had begun and the report began
to reach various members of the cybersecurity community, who pressed until
Valve announced that the reported vulnerability would be corrected.
The problems for Valve did not end there, as a
short time later an ethical hacking expert demonstrated that the patch released
by the company was not an efficient solution, as it was relatively easy to
bypass this security measure. These flaws were also reported to Valve, but ran
with the same fate as Kravets, as the company has simply ignored community
reports.
Bad experiences dealing with Valve led the
expert to reveal the second zero day vulnerability on his own. Like the first
flaw found, this is privilege escalation vulnerability in the Steam client
that, if exploited as shown in the Kravets’ proof of concept, would allow a
threat actor to obtain administrator rights through the Steam app. The company
has not commented on this, although it must be said that this happens very
rarely.
According to specialists in ethical hacking from
the International Institute of Cyber Security (IICS), the company’s position is
due to the company’s position, according to its policies, privilege escalation
vulnerabilities are “out of reach” of its program of error reporting.
Simply put, for Valve, these are not security flaws.
Despite the company’s stance, virtually the
entire cybersecurity community views escalations of privilege as serious
security drawbacks. “Valve has refused to fix these flaws, showing the
company’s little interest in the security of the information of its more than 100
million users,” Kravets believes.
