How Hackers Could Have Pwned You With a Nasty Steam Bug

[steven36]

Hackers could’ve exploited Steam users just by tricking them into visiting a user profile.

 

 

A common bug in the ubiquitous digital distribution platform Steam potentially allowed hackers to steal user's accounts, get them to involuntarily buy items on the community market, get users to install malware, and perhaps even take control of their computers. The bug could've likely been exploited to make a self-spreading worm too, according to hackers and security researchers.   

 

 

Steam's operator Valve announced that it fixed the bug earlier today, but with over 125 million monthly active users on its platform, the exploit could have wreaked havoc for thousands of people, and for the company itself.

 

 

"Anyone who views a specially crafted profile gets popped," a white hat hacker who has found several bugs in Steam in the past, and asked to remain anonymous, told me in a Twitter DM.

Several users and security researchers noticed this week that it was possible to put malicious javascript code inside a Steam user's profile page, and the code will execute whenever someone visits that profile page, without any need for the victim to click anywhere. This type of bug is known as a cross-site scripting vulnerability, or XSS, a problem that's plagued Steam for years.  

 

 

"Phishing scams and virus downloads are possible at the very least, but if account take overs are possible, that's about as bad as XSS gets," Jeremiah Grossman, a web security expert, said in a chat.

 

A Valve spokesperson said the bug was fixed on Tuesday at noon, but there's no telling how long the door was open for hackers to exploit it. (The spokesperson did not immediately respond to a request for comment.)

The bug was so bad that the moderators of the Steam subreddit told users to refrain from visiting other user's profiles.

"Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser," a moderator wrote in the warning post.

While XSS is a common web bug, it could have wreaked havoc in this case for Steam users, according to several security researchers and hackers who have found several bugs in Steam in the past.

Grossman and Jake Davis, a former LulzSec hacker, confirmed that the bug existed as of Tuesday morning and analyzed the potential attacks that bad guys could do if they were to exploit it.

 

 

"If something like this were to be found on Google or Facebook, it would be a high-severity issue," said Grossman, who's the Chief of Security Strategy at security firm ‎SentinelOne. "This looks like it could be wormable, which would make user account takeovers possible—if the victim user visits the wrong profile. No real safeguards are possible."

 

 

In theory, a malicious hacker could've abused this bug to essentially do what Samy Kamkar did when he exploited a bug in MySpace to get one million friends.

"Hypothetically someone could create a virus that, when opened by the victim, takes over their system and adds the same XS

 

 

"Given the XSS occurs within a trusted part of the Steam experience, it wouldn't be a stretch to imagine you could disguise an exploit as some sort of Steam update and push it to the user's downloads before redirecting back to a legitimate Steam page," Davis continued. "With enough wrangling and clever psychological tricks I reckon that would spread fairly quickly."

 

 

Davis also tested that it was possible to make someone download a dummy malware file called "open_me.exe" just by tricking a Steam user into visiting a certain profile.  

Perhaps the most damaging attack, at least for Valve itself, was to exploit this bug to make users buy items from the Steam Community Market, as long as they are under the cost limit that requires no confirmation, according to the anonymous white hat hacker and another researcher who's also found similar bugs in Steam. Hackers could've also made this into a worm, ratcheting up profits.

 

 

In other words, a hacker could have made hundreds of thousands or perhaps millions of users pay them a few dollars. Luckily, the bug is now fixed.

 

By Lorenzo Franceschi-Bicchierai

https://motherboard.vice.com/en_us/article/how-hackers-could-have-pwned-you-with-a-nasty-steam-bug

 

[straycat19]

Just one more reason to be happy that ALL games aren't on Steam.  Origin has TitanFall 2 and Uplay has The Division, the two games I have been playing the most the last couple of months.

[DKT27]

I have not heard this in news so was not atall aware about this. But I blame it on all these new cards and cards sharing things they have introduced, which, from what I can understand, allows one to customize their profile, somehow that might have been hacked. This is just an guess though.

 

On 9/2/2017 at 4:26 AM, straycat19 said:

Just one more reason to be happy that ALL games aren't on Steam.  Origin has TitanFall 2 and Uplay has The Division, the two games I have been playing the most the last couple of months.

 

My view is different, I personally think all games should be available everywhere and I'm not the only one who thinks so, I have seen many complaining about the need to have several gaming clients installed together on a PC.

 

About TTF2, how is the single player. I was willing to try it, but cannot afford it - like most of them and as no fix is available, still have not got a chance to try it.