Skip to main content

Steam Has a Huge Security Flaw on Windows

(Image credit: Valve Corporation)

Steam, the PC gaming storefront and platform owned by Valve Corporation that’s got more than 1 billion registered users, has client software that's found on tens of millions of Windows computers. It's those users who are at risk of an exploit of a significant security vulnerability.

Security researcher Vasily ‘Felix’ Kravets (via ThreatPost) found the privilege-escalation issue within the Steam Client Service, the program Steam users install on their PCs to play Steam games. 

The Client Service can be stopped and started by any user on the device, and when someone does, they get access to a series of Windows Registry subkeys relating to the program. These keys can then be edited to symlink (symbolic link, or a shortcut to access one file or Registry key from another) to other locations on the device, 

Kravets found he could point a Steam-related symlink to a Registry key with administrative privileges, restart the PC, and gain a command prompt with full system control. Needless to say, that is a big problem, as it means any limited-privilege user, including already-installed malware, can then run anything they like on a Windows PC with Steam installed.

While this potential problem is bad enough, Valve apparently treated the threat to its platform with its unfortunately trademark apathy. When Kravets tried to alert the company to the issue via bug-reporting platform HackerOne in June, his report was dismissed. Steam argued that the attack that was only possible if you placed files on the user’s filesystem, which was not true as the method used only relies on editing existing files, not adding new ones.

MORE: US Senator Says Wireless Carriers Helping Trump Build 'Surveillance State'

Kravets reopened the report with some additional information to clarify the problem, but it was rejected again, with the additional justification that the attacker needed physical access to the user’s device, also incorrect.

Kravets waited 45 days before publicly disclosing the issue. The HackerOne report has since been reopened, and Valve has issued a bug fix for the Steam Client. However, Kravets believes this fix can be bypassed, leaving the same attack vector open.

Even if no malicious individual or piece of software tries to attack your computer, Kravets says there's still a problem with how the Steam client gives any installed Steam game powerful system privileges that it doesn’t need. 

Seeing how PC games downloaded from the internet can be used to install cryptocurrency mining programs (as our sister site TechRadar has reported), Valve might want to take this issue more seriously.