Three active bugs in Steam make the game client vulnerable to remote code execution via invites and third-party servers. Two of the bugs have not been fixed for two years, even though they were reported two years ago via HackerOne. The reporters may not share the vulnerability.
The group of hackers, under the name The Secret Club, has reported three vulnerabilities via the bug bounty program on HackerOne, without the bugs being fixed. They also do not receive a message from Valve after repeated contact. This is a vulnerability that enables remote code execution in all Source engine games via a Steam invite, a vulnerability that allows remote code execution in Team Fortress 2 via community servers and a zero day that enables remote code execution in CS:GO. None of the three vulnerabilities have been patched by Valve to date.
The vulnerabilities make it possible to open an external program in the OS via Steam, such as the calculator in the example of the creators, to potentially take over a computer or run software to steal personal information from users. For Steam users, it means they can no longer accept friend requests or join community servers without risking their system being taken over.
The oldest bug was discovered two years ago by German hacker Florian, on Twitter @floesen. The bug was recognized on the platform after several months and a half years ago, after repeatedly contacting Valve and HackerOne, the hacker was compensated for his report. But two years after reporting the bug, it hasn’t been fixed, and he’s not allowed to share his findings publicly.
The group says it is actively opposed to reporting the bugs, because according to HackerOne’s rules, they are not allowed to publish about the bugs unless Valve gives permission or the bug has been fixed. Until Valve responds, they cannot disclose the vulnerabilities without running the risk of being kicked off the HackerOne platform.
It’s not the first bug in Steam. In December, Valve patched the Steam client after security researchers reported in September of four different bugs that allowed Steam to take over a computer via third-party game servers. And also in 2019, critical bugs were discovered by security researcher Vasily Kravets, Zdnet writes. The hacker encountered the same problem as the Secret Club researchers. After reporting the vulnerability, Valve dismissed it as inappropriate and considered it irrelevant to fix the bug.
Kravets was told by HackerOne not to disclose the vulnerability, regardless of whether Valve found it suitable or not. He decided to report the vulnerability anyway. Another researcher discovered the same vulnerability and a patch followed in August 2019, but according to Kravets it is easy to circumvent.
And Kravets and The Secret Club aren’t the only ones who have been told not to disclose the vulnerabilities due to HackerOne’s rules. So says Twitter user @killa that he has encountered several problems with reporting bugs to Valve, because Valve, unlike other companies, does not allow vulnerabilities to be disclosed if the company does not respond to a bug report on HackerOne in a timely manner. He says publishing means getting banned from the platform. Another says only after 11 months of being paid for a vulnerability in Valve. Security researcher Jake Gaeler even devoted an entire blog to his experience reporting a vulnerability to Valve on HackerOne.