Game News

Steam security flaw disclosed, Valve admit to banning the finder

Published: 15:03, 23 August 2019
AltChar
Gabe Newell photoshopped on the statue of lady Justice
Steam, GabeN's justice is neither blind nor slow!

Valve have been looking at Steam's security flaws as business opportunities for quite a while now, what with HackerOne and other services snuffing them out for cash, but their most recent case isn't exactly a point of pride for the company.

Steam's zero-day vulnerability, which could hijack your account to run malware and install spyware, was found by bug-hunter Vasily Kravets, who has had some unfortunate dealings with Valve as of late.

According to Kravets and later confirmed by Valve, his disclosing of an elevation-of-privilege hole in Steam's Client via HackerOne ended up being dismissed by the company.

Being dismissed meant he was denied payment too, and Valve did this on the grounds of the exploit not being an actual vulnerability, seeing as how it required local access and the ability to drop files on the computer in question.

It's at this point that communication between Valve and Kravets turned sour it seems, and the company actually banned his HackerOne account from participating in future bug-hunting. There aren't many details on this specific part, but it's safe to assume some sort of heated verbal conflict.

Fast-forward two weeks later, and Kravets found yet another elevation-of-privilege flaw, which he disclosed and forced Valve to finally take notice.

Interestingly, Valve actually apologised for ignoring the vulnerability, insisting that their HackerOne program was always tuned to include the sort of exploits that Kravets has found.

"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user [...] Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam", they told The Register.

Altchar picture showing steam logo on blue background Steam

Valve have since plugged the security holes and updated their Hacker One program rules to more explicitly state the inclusion of similar exploits in the future reports.

They also reminded that their Steam bug-hunting via HackerOne has earned 263 security researchers $675,000 for snuffing out around 500 security issues, but Kravets' case is still being reviewed to "determine the appropriate actions."

You can find Valve's response via The Register .

Latest Articles
Most Popular