Is the Steam platform dangerous for its users?

Most recently, a cybersecurity expert discovered that the Steam platform had a security flaw.

It was a vulnerability that allowed users to be attacked directly and attacked of all kinds.

This article may also be of interest to you: A security flaw on Windows affects 800 million computers

According to the platform's publishing company, the Valve, the flaw would not be truly worrying, as it is not really likely to openly disturb the safety of users. Meanwhile, the Steam platform has more than 90 million subscribers worldwide. The researcher behind the discovery, named Vasily Kravets, said the flaw was not that extreme. Nevertheless, he explains that it has its source in one of the services offered by the Steam platform.

In an article published on a blog, he points the finger at "Steam customer service" which in principle is a feature that allows the user to either disable or activate the service. The problem lies in user keys and sub-keys, which users inherit when they activate the platform service. These keys and under lock and key are the references to have the necessary clearances for the full use of Steam services. If a user is robbed of one of their keys, it would be possible for a hacker to initiate an attack against the user "of privilege escalation" as noted by the researcher. This attack could, seems to be done on any Windows computer that has run the Steam program.

It was on the Bounty HackerOne bug platform that the vulnerability was brought to the attention of Valve, Steam's publishing company. And this, since June 2019. Initially, this safety report was not considered by the company. It found that the researcher who discovered the flaw did not deserve a reward because the attack "would require the ability to deposit files in arbitrary locations on the user's file system."

After several challenges from the claim researcher of his reward, which were repeatedly rejected. Quite simply, because Steam believes that the attack envisaged by the security expert requires hackers must come into physical contact with the terminal. So the computer security researcher for his part assured that he would publish elements of the vulnerability within a set time that it has been Valve. Even so, on July 20, the company produced a fix to address the vulnerability discovered by the researcher.

The Bug Platform Bounty had also banned the researcher from publishing, which the latter did despite all the bans. In his defence he notified that: "So, two weeks after sending my message, which was sent on July 20, a person appears, who tells me that my report was marked as non-applicable, they closed the discussion and did not want to offer me an explanation… Besides, they didn't want me to reveal the vulnerability. At the same time, there wasn't even a single word from Valve.»

The company responded by saying: "Valve is not going to repair any something they determined to be S/[sans objet]O."

However, on August 9 on Github, another researcher matt Nelson published the same finds made by the former. one corrective has even been made to Steam beta. this is quite funny because the the first researcher had explained exactly the problem of the platform in these "It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allowing them to get silently a maximum of privileges."

So even though a security fix has been developed, it is recommended that users of the platform always be wary as it is their security.

Now access an unlimited number of passwords:

Check out our hacking software