An Exploit Left Millions of Steam Users Vulnerable for the Past 10 Years

A security researcher found a serious vulnerability that allowed hackers to take control of a Steam user’s computer.

|
May 31 2018, 3:47pm

Hackers could have taken advantage of a nasty bug in the hugely popular video game platform Steam to take over victims’ computers.

The vulnerability has been present and exploitable in Steam for at least 10 years, according to Tom Court, a security researcher at Contextis, who wrote about the bug on Wednesday. Court said the bug left all 125 million Steam users vulnerable until March of this year, when Valve, the developers of Steam, patched it.

“This bug could have been used as the basis for a highly reliable exploit,” Court wrote. “This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections.”

In other words, by exploiting this bug, hackers could have executed code on the victim’s machine, effectively taking full control over it.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

A Valve spokesperson did not immediately respond to a request for comment. But the company publicly thanked Court in the release notes of a Steam client update dated April 4, 2018.

Valve made exploiting this vulnerability harder in July of last year, when the company implemented a security feature known as ASLR to the Steam desktop client. Before that, in any case, hackers needed to be able to observe connections between the Steam client and the server to then send malicious packets to exploit the vulnerability. So, in practice, it wasn’t trivial to target individual users.

Court said that the takeaway for this bug is that developers need to constantly review old and aging code and make sure it conforms to “modern security standards.”

“The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them!” Court wrote.

Court also published a proof-of-concept video on YouTube in which he launches the calculator app (a standard trick for a hacking demo) on the target’s system taking advantage of this bug.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.