An Exploit Left Millions of Steam Users Vulnerable for the Past 10 Years
The vulnerability has been present and exploitable in Steam for at least 10 years, according to Tom Court, a security researcher at Contextis, who wrote about the bug on Wednesday. Court said the bug left all 125 million Steam users vulnerable until March of this year, when Valve, the developers of Steam, patched it. In other words, by exploiting this bug, hackers could have executed code on the victim’s machine, effectively taking full control over it.
A Valve spokesperson did not immediately respond to a request for comment. But the company publicly thanked Court in the release notes of a Steam client update dated April 4, 2018. Valve made exploiting this vulnerability harder in July of last year, when the company implemented a security feature known as ASLR to the Steam desktop client.
Before that, in any case, hackers needed to be able to observe connections between the Steam client and the server to then send malicious packets to exploit the vulnerability. So, in practice, it wasn’t trivial to target individual users. Court also published a proof-of-concept video on YouTube in which he launches the calculator app (a standard trick for a hacking demo) on the target’s system taking advantage of this bug.