Valve Rushes To Patch XSS Flaw In Steam

A major cross-site scripting (XSS) flaw has been found on online gaming platform Steam, which if exploited would have allowed hackers to hide malicious code in their Steam profiles which would be executed when visited by another user.

Highlighted by a moderator on Steam’s official Reddit page and brought to light by an Australian programmer and developer known as Cra0kalo, the flaw could be exploited by malicious hackers, who could then redirect people on their profile to a phishing website or web page loaded with malware.

Steam leak

Valve the gaming giant behind Steam rushed to patch the flaw and prevent XSS code injection-based attacks from being carried out on its platform.

Had this not been fixed the flaw could allow for all manner of havoc to be caused on Steam, including giving hackers the ability to perform actions on a compromised Steam account without needed to beat security measures such as reconfirming passwords when a new login is detected.

Valve’s response to patching the security hole within hours was commendable, but the company will no doubts be licking its wounds over the damage the discovery of such a security hold can do for its reputation. Gamers on PCs are fairly tech savvy people and will no doubts not be impressed to hear that another major security flaw has was lurking on Steam.

As the flaw has been around for a while, there is a risk that keen Steam gamers who often view the profiles of those they play or network with, may have had been the victims of hackers exploiting the XSS vulnerability. However, if they spot odd things happening on their account then that is a tell-tale sign that they may have had their Steam credentials compromised.

Daniel Miessler, director of Advisory Services at ethical hacking firm, IOActive, noted that exploiting security flaws in gaming platforms and find ways to crack into them is something very much on the agenda of hackers.

“For decades, video games have been considered toys, but that’s now changing. Video games have become mainstream, and along with that popularity has come insecurity,” he said in a statement to Silicon.

“The XSS attack against Steam is an oldie but goodie, known as persistent XSS. It’s called persistent because the attacker makes a change to something relatively static, like a profile, and then anyone who visits that page gets the payload. This is the same type of attack that took down MySpace back in the day.”

Security issues have sucker punched Valve before, particularly on Christmas Day 2015, when Steam had suffered security issues that saw the platform showing the secured data of some users to others.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Google Confronts Break-Up Threat From US DoJ

US Department of Justice mulls asking judge to force Google to sell parts of its…

3 hours ago

US Supreme Court Rejects X’s Trump Appeal

US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…

1 day ago

US Judge Orders Google To Allow Android App Store Competition

US federal judge orders Google to undertake wide range of measures allowing third-party app stores…

1 day ago

Ukraine Hackers Disrupt Russian Broadcaster On Putin’s Birthday

Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…

1 day ago

Amazon Antitrust Case Gets Go-Ahead In US Court

US federal judge says FTC and 18 states may proceed with landmark Amazon antitrust case,…

1 day ago