Steam 0-day vulnerability potentially affects over 100 million users

[Rose 268]

As reported earlier this week by Bleeping Computer, ArsTechnica and other sources, a security researcher found a vulnerability that allows to gain full access to the target computer through elevated privileges, which could be exploited by malicious game creators. According to the articles and included researcher statements, Valve have rejected two researchers' attempts to get rewarded for reporting the issue through the HackerOne platform on the basis of being out of scope and allegedly requiring physical access to the device.

The researches decided to go public as the result.

Since then, Valve appear to have patched the Steam client but only in the beta as of today.

Update: On August 13, the main client was also updated to patch the vulnerability.

Update 2: Bypassing the fix is possible.

[Suicide machine 53]

A 100 million less users potentially affected than Epic's exploit. It's fiiiine. (not it's not)

[Andytizer 269]

That's quite interesting, it seems like quite a huge vulnerability with LOCALSYSTEM privileges. I can't see why it was rejected as being out of scope by Valve. It could've been used to cause some real mayhem.

[Aemony 141]

20 hours ago, Andytizer said:

That's quite interesting, it seems like quite a huge vulnerability with LOCALSYSTEM privileges. I can't see why it was rejected as being out of scope by Valve. It could've been used to cause some real mayhem.

Most likely due to the report being a bit unfocused and not clear on the details, and possibly not providing them with a good POC that showcased how it easily it can be used to obtain elevated privileges.

Luckily making the vulnerability public helped it gain exposure, prompting Valve to take action and solve the issue.