Valve Corp., has patched a cross-site scripting vulnerability on its popular Steam gaming platform that could be exploited by viewing a maliciously crafted profile.
The flaw could allow an attacker to carry out phishing attacks or execute malicious scripts just by opening a crafted profile page.
“I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options,” said a Steam subreddit moderator yesterday before the bug was fixed. “Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.”
Shortly thereafter, another post to the subreddit declared profile views safe and explained how attackers were abusing a function of the My Guides showcase, which parsed scripts in the guides’ Title section.
“You could inject code via putting such guides up on your showcase,” the post said, adding that only multiguide showcases were vulnerable. Only profiles that were at least Level 10 were at risk; only Level 10 profiles have access to the MyGuide showcase. An attacker would then create a guide and load malicious script or a payload into the Title, and then publish it and feature it on their profile Guide showcase.
Steam boasts 125 million active users with a relatively young user base, making it an attractive target for hackers. In Dec. 2015, users were warned about an epidemic of account theft starting with the introduction of Steam Trading earlier in the year. Hackers were stealing in-game items accumulated in a user’s account and trading them repeatedly. Theft of virtual items was racking up hefty profits for attackers and forced Steam to implement two-factor authentication among other lockdown features.
Last March, Kaspersky Lab researcher Santiago Pontiroli collaborated with external researcher Bart Parys on a paper examining the Steam Stealer malware. The malware is inexpensive and flexible enough where adding new features was simple, the researchers said. Some underground sites even turned it into a service with step-by-step malware distribution guides and advice on turning a profit.
“With Steam Stealers, a ludicrously low price is usually asked of wannabe criminals for the use of the malware. For an extra cost, the full source code and a user manual is included in the package, making this scheme laughable and terrifying at the same time,” the researchers wrote at the time. “Of course, the aforementioned prices represent the low end of the ‘industry’ spectrum, but it would be hard to find any stealer being sold for more than $30. With so much competition in this niche market, it’s tough making a living as a stealer-seller without daring to go the extra mile.”
Pontiroli told Threatpost that past denial-of-service attacks against the platform during high-volume Steam sales, as well as a vulnerability that enabled account hijacking through the password reset mechanism are other examples of high-risk threats to Steam users.
“As far as the new bug I would say while it’s important for Steam to patch it, it’s not as critical as other issues the platform faced in the past,” Pontiroli said. “XSS vulnerabilities are quite common, and anyone doing a bug bounty will know that usually these types of bugs don’t pay much because they are usually the lowest hanging fruit when it comes to pen-testing an application or website.”
A 2016 study published by the Entertainment Software Association puts the average age of a gamer at 35, and that 56 percent of gamers are 35 or younger.
“In my opinion, these platforms are attacked because of the high volume of users they deal with, and because you need to buy games/items/mods/etc., and for that a lot of money is involved,” Pontiroli said. “These types of platforms are aimed at entertainment, and while of course security is needed to protect the accounts, their primary goal is to make a product that it’s easy to use, and security is added as needed.”
