Jump to content

Steam 0-day vulnerability potentially affects over 100 million users


Recommended Posts


As reported earlier this week by Bleeping Computer, ArsTechnica and other sources, a security researcher found a vulnerability that allows to gain full access to the target computer through elevated privileges, which could be exploited by malicious game creators. According to the articles and included researcher statements, Valve have rejected two researchers' attempts to get rewarded for reporting the issue through the HackerOne platform on the basis of being out of scope and allegedly requiring physical access to the device.

The researches decided to go public as the result.

Since then, Valve appear to have patched the Steam client but only in the beta as of today.

Update: On August 13, the main client was also updated to patch the vulnerability.

Update 2: Bypassing the fix is possible.

Link to comment
Share on other sites

20 hours ago, Andytizer said:

That's quite interesting, it seems like quite a huge vulnerability with LOCALSYSTEM privileges. I can't see why it was rejected as being out of scope by Valve. It could've been used to cause some real mayhem.

Most likely due to the report being a bit unfocused and not clear on the details, and possibly not providing them with a good POC that showcased how it easily it can be used to obtain elevated privileges.

Luckily making the vulnerability public helped it gain exposure, prompting Valve to take action and solve the issue.

Link to comment
Share on other sites

  • Rose unfeatured this topic
  • Rose featured this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...