Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

Post Comment
Enter the details of the comment you'd like to post in the boxes below and click the button at the bottom of the form.

55. Re: I hate hypocrisy and blind bias. Oct 17, 2012, 22:29 Prez
 
It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous.

I freely admit I'm an EA hater (but given their long sordid history of being a shitty company, certainly not without cause) but if I saw there was credit to be given I would give credit where it was due. All I saw in the latest EA debacle was a ham-fisted and poorly managed attempt to gain some small measure of market penetration by giving people free games (a move so counter to their normal philosophy it serves to prove how desperate they are in my mind) which ended up being exploited like crazy. It couldn't have happened to a nicer company.

At what point does a company with a history of security problems and abyssmal customer service stop being "awesome"?

So that's what this is about? It pisses you off that people think Valve is awesome? Seems pretty petty to me. I think their customer service sucks, as I already detailed earlier, but that's not enough to make me start hating on Valve like you wish I would. It seems every service has had it's share of security issues lately, and while others might have raised hell I have always taken it as a matter of course considering the way things are today regardless of who it happens to. Valve isn't perfect, and not a person that I've heard said they are, but they have a long, LOOONG way to go to even come close to being as anti-consumer as EA is. The companies are almost polar opposites.

This comment was edited on Oct 17, 2012, 22:41.
 
Avatar 17185
 
“The greatness of a nation and its moral progress can be judged by the way its animals are treated.”
- Mahatma Gandhi
Reply Quote Edit Delete Report
 
Subject
Comment
     
 
      ;)   ;)   :(   :(   :o   :o   %)   %)   :)   :)   :|   :|   ;P   ;P   X|   X|   :D   :D   More
 
Login Email   Password Remember Me
If you have a signature set up, it will be automatically appended to your comment.
If you don't already have a Blue's News user account, you can sign up here.
Forgotten your password? Click here.
 
          Email me when this topic is updated.
 

Special Codes

  • b[bold text]b
  • i[italic text]i
  • u[underline text]u
  • -[strikethrough text]-
  • c[code text]c
  • +[bullet point]+
  • q[quote text (indented)]q
  • [quote="Author"]quote text (indented)[/quote]
  • [url=Link]text[/url]
  • r{red text}r
  • g{green text}g
  • b{blue text}b
  • m{maroon text}m
  • s{secret text (shows in the background colour)}s

Forum Rules

  1. Disagree all you want but attacks of a personal nature will not be tolerated.
  2. Ethnic slurs and homophobic language will not be tolerated.
  3. Do not post spam, links to warez sites, or instructions on how to obtain pirated software.
  4. Abusing the forums in any manner that could be construed as 'griefing' will not be tolerated.


footer

.. .. ..

Blue's News logo