Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
User Settings
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

Post Comment
Enter the details of the comment you'd like to post in the boxes below and click the button at the bottom of the form.

53. I hate hypocrisy and blind bias. Oct 17, 2012, 22:13 hb3d
Prez wrote on Oct 17, 2012, 21:40:
Well it's no secret he's not a fan of Steam (but a big fan of Amazon and EA)
I'm not a fan of EA at all, but I hate the hypocrisy and blind bias I see around here and on other PC game forums. That is why I defended EA over its recent give away of free games. It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous. EA even posted a notice on the previous survey link that new coupon codes would be sent out to those that didn't get one for the previous survey because it had to be closed. Now, that's good customer service for any company including EA.

that doesn't necessarily make him wrong.
He has to attack the messenger because he doesn't like the message and can't handle the truth.

Regarding this latest Valve security problem the silence on this both from Valve and its fans speaks volumes. When Ubisoft had a similar exploit months ago in a browser plug-in for its game client, most of you and others exploded with vitriol at Ubisoft over it even when you weren't even affect by it because you hadn't installed the plug-in. And, Ubisoft responded and fixed the problem in the same day it was reported in the news. Here, Valve didn't even reply to the researchers who disocvered the problem or to Computerworld that initally reported the story. And, this latest Valve security problem affects far more people since more people use Steam and more products since the vulnerabilities are in the Steam software and several game engines itself. The few Valve fanboys who bothered to respond in this thread either stuck their heads in the sand and denied the scope of the problem and/or blamed the researchers who found the exploits rather than place the blame on Valve where it belongs.

At what point does a company with a history of security problems and abyssmal customer service stop being "awesome"? Valve is now a multiple billion dollar company. It has a virtual monopoly on PC game distribution. It needs to stop acting like a bunch of free-wheeling hippies and stop treating customer service and security like some distant afterthought and inconvenience which interrupts its playtime. But, Valve will never improve and devote the personnel and resources necessary to those functions unless customers demand it. And, so long as the company has millions of minions who think it is "awesome" anyway and keep gladly giving it their money regardless of its repeated failings, that will never happen. That is why it is important to complain even when it is your favorite company in the wrong.

This comment was edited on Oct 17, 2012, 22:31.
Reply Quote Edit Delete Report
      ;)   ;)   :(   :(   :o   :o   %)   %)   :)   :)   :|   :|   ;P   ;P   X|   X|   :D   :D   More
Login Email   Password Remember Me
If you have a signature set up, it will be automatically appended to your comment.
If you don't already have a Blue's News user account, you can sign up here.
Forgotten your password? Click here.
          Email me when this topic is updated.

Special Codes

  • b[bold text]b
  • i[italic text]i
  • u[underline text]u
  • -[strikethrough text]-
  • c[code text]c
  • +[bullet point]+
  • q[quote text (indented)]q
  • [quote="Author"]quote text (indented)[/quote]
  • [url=Link]text[/url]
  • r{red text}r
  • g{green text}g
  • b{blue text}b
  • m{maroon text}m
  • s{secret text (shows in the background colour)}s

Forum Rules

  1. Disagree all you want but attacks of a personal nature will not be tolerated.
  2. Ethnic slurs and homophobic language will not be tolerated.
  3. Do not post spam, links to warez sites, or instructions on how to obtain pirated software.
  4. Abusing the forums in any manner that could be construed as 'griefing' will not be tolerated.


Blue's News logo