Researcher who clashed with Valve over Steam vulnerability, which then banned him, makes public the flaws
A security researcher has opted to get his revenge on a gaming company, after it refused to award him a bug bounty after he uncovered a security flaw.
After a dispute with Steam’s owner, Valve, which saw him being kicked off the bug bounty program, the researcher then disclosed a zero-day privilege-escalation vulnerability for the Steam gaming client.
This is not the only dispute involving bug bounties. In 2017 Uber found itself in deep trouble with regulators after the taxi service used its bug bounty program to pay a hacker to destroy the data he had stolen.
This dispute came however after security researcher Vasily Kravets released a second zero-day privilege-escalation vulnerability for the Steam gaming client, owned by Valve.
According to media reports, Kravets said that the problem began in June when he reported to Valve a elevation of privilege flaw in the Steam Client, the software that gamers use to purchase and run games from the games service.
But it seems that Valve declined to recognize and pay out for the bug, as it said the flaw required local access and the ability to drop files on the target machine in order to run and was therefore not really a vulnerability.
Valve has so far declined to response to media inquiries, but Kravets said in a blog post that after Valve refused to patch the first flaw, he disclosed the vulnerability.
But he was then banned from Valve’s bug bounty program on the HackerOne platform.
Kravets then discovered a second vulnerability, that would be simple for any OS user to exploit. He decided to go ahead and publish the details of the second flaw in a blog post on Tuesday.
“Not long ago I published an article about Steam vulnerability,” wrote Kravets. “I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne – I can no longer participate in their vulnerability rejection program.”
He even published a YouTube video on the issue here.
Essentially, the first flaw is a privilege-escalation vulnerability that can allow an attacker to level up and run any program with the highest possible rights on any Windows computer with Steam installed. The second flaw found by Kravets, also enables local privilege escalation.
Kravets told Threatpost he is not aware of a patch for the vulnerability.
There have a number of security scares with Valve over the years.
In 2011 for example Valve admitted that attackers compromised some forum accounts on the Steam gaming service.
There was also a security scare on December 2015 when users were able to access game libraries, credit card details, and purchase history of other users, just by attempting to access their own account details.
In 2017 a major cross-site scripting (XSS) flaw was found on Steam, which if exploited would have allowed hackers to hide malicious code in their Steam profiles which would be executed when visited by another user.
Do you know all about security? Try our quiz!