Valve has only just plugged a security flaw that has existed in Steam’s code for a decade and a half. The oversight was discovered by Context Information S…
Valve has only just plugged a security flaw that has existed in Steam’s code for a decade and a half.
The oversight was discovered by Context Information Security’s Tom Court in February, who has written a pretty detailed blog post that goes in-depth into the flaw .
In short – every single user was exposed to hijack attempts from third-parties. Court says that the flaw was in Steam’s code from its early days and was never addressed because no-one attempted to exploit it. The custom Steam protocol did not check the first data package exchanged, leaving it open to exploitation from malevolent parties.
Within half a day of being reported, Valve rolled out a patch to address this on its Steam beta branch before a full roll-out on March 22nd.
The Pacific West-based company has since announced a bug bounty for pretty much any of its services, including Steam. It’s possible that this extremely concerning revelation could have been the impetus for this.
