Valve Rushes To Patch XSS Flaw In Steam

The flaw could allow hackers to conduct phishing attacks and spread malware

A major cross-site scripting (XSS) flaw has been found on online gaming platform Steam, which if exploited would have allowed hackers to hide malicious code in their Steam profiles which would be executed when visited by another user.

Highlighted by a moderator on Steam’s official Reddit page and brought to light by an Australian programmer and developer known as Cra0kalo, the flaw could be exploited by malicious hackers, who could then redirect people on their profile to a phishing website or web page loaded with malware.

Steam leak

SteamOSValve the gaming giant behind Steam rushed to patch the flaw and prevent XSS code injection-based attacks from being carried out on its platform.

Had this not been fixed the flaw could allow for all manner of havoc to be caused on Steam, including giving hackers the ability to perform actions on a compromised Steam account without needed to beat security measures such as reconfirming passwords when a new login is detected.

Valve’s response to patching the security hole within hours was commendable, but the company will no doubts be licking its wounds over the damage the discovery of such a security hold can do for its reputation. Gamers on PCs are fairly tech savvy people and will no doubts not be impressed to hear that another major security flaw has was lurking on Steam.

As the flaw has been around for a while, there is a risk that keen Steam gamers who often view the profiles of those they play or network with, may have had been the victims of hackers exploiting the XSS vulnerability. However, if they spot odd things happening on their account then that is a tell-tale sign that they may have had their Steam credentials compromised.

Daniel Miessler, director of Advisory Services at ethical hacking firm, IOActive, noted that exploiting security flaws in gaming platforms and find ways to crack into them is something very much on the agenda of hackers.

“For decades, video games have been considered toys, but that’s now changing. Video games have become mainstream, and along with that popularity has come insecurity,” he said in a statement to Silicon.

“The XSS attack against Steam is an oldie but goodie, known as persistent XSS. It’s called persistent because the attacker makes a change to something relatively static, like a profile, and then anyone who visits that page gets the payload. This is the same type of attack that took down MySpace back in the day.”

Security issues have sucker punched Valve before, particularly on Christmas Day 2015, when Steam had suffered security issues that saw the platform showing the secured data of some users to others.  

Are you a security pro? Try our quiz!