Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

View
69 Replies. 4 pages. Viewing page 4.
< Newer [ 1 2 3 4 ] Older >

9. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 12:10 Mashiki Amiketo
 
Jivaro wrote on Oct 17, 2012, 11:50:
Am I the only one that thinks it is bad form to go public with this before telling Valve? Seems odd to me. I am not talking about the website, I am talking about the folks that discovered the vulnerability.
Not these days. Security is through obscurity in 99% of all cases, which means the only way to get a company to patch a vulnerability is to go public and scream loudly. This isn't really the industry of 10 years ago, where you could even get a hold of someone in production and say "hey, I found this bug and it causes x,y,z to happen and when I do that I've got root." They just kinda shuffle you around until you give up.
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
8. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:55 Creston
 
Jivaro wrote on Oct 17, 2012, 11:50:
Am I the only one that thinks it is bad form to go public with this before telling Valve? Seems odd to me. I am not talking about the website, I am talking about the folks that discovered the vulnerability.

It's really the only way to get a large corporation to even acknowledge you. All the people who find bugs in Windows and Office basically get the "Go away and fucking die" treatment from Microsoft until they reveal the flaw to the public. Then it gets fixed in a hurry.

Also, we don't know if they tried to reach Valve or not. Computerworld says they did and got no reply.

Creston
 
Avatar 15604
 
Reply Quote Edit Delete Report
 
7. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:53 Creston
 
while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

APPLE MAKES TEH SAFEST STUFF IN TEH WORLD!!1!!!1!1

Rolleyes

Creston
 
Avatar 15604
 
Reply Quote Edit Delete Report
 
6. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:52 descender
 
Notice it says "startup company"... looks like they just got themselves some press didn't they?

I'm not convinced this is new news at all. Steam is entirely too mainstream to have not had this taken advantage of already.
 
Avatar 56185
 
Reply Quote Edit Delete Report
 
5. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:50 Jivaro
 
Am I the only one that thinks it is bad form to go public with this before telling Valve? Seems odd to me. I am not talking about the website, I am talking about the folks that discovered the vulnerability.  
Reply Quote Edit Delete Report
 
4. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:40 Kajetan
 
descender wrote on Oct 17, 2012, 11:32:
I'm not even sure of the concern here.
Steam-URLs can contain code to damage or manipulate the Steam client. This is no minor problem.
 
Reply Quote Edit Delete Report
 
3. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:39 Verno
 
The Steam client also has a webkit engine, so you could redirect it to places with a payload or etc. You could also have the client perform various built in commands like uninstalling or etc. I think it's more of an issue for browsers, they should all be asking for user confirmation when you click an external protocol link.

Also:
For example, the Steam protocol's "retailinstall" command can be used to load a malformed TGA splash image file that exploits a vulnerability in the Steam client to execute malicious code in the context of its process, the researchers said.

that sort of thing.
 
Avatar 51617
 
Playing: Dragon Age Inquisition, Far Cry 4, This War of Mine
Watching: The Walking Dead, The Fall, As Above So Below
Reply Quote Edit Delete Report
 
2. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:32 descender
 
I'm not even sure of the concern here. The video wasn't much help either.

If you were tabbed out and browsing the internet, a website could crash certain games?

Or launch them?

I'm sure at some point in the last 10 years a few people have tried hacking steam urls... having not run into any issues by now should speak volumes about their already in place security.
 
Avatar 56185
 
Reply Quote Edit Delete Report
 
1. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 11:29 Verno
 
Hopefully Valve fixes this quickly. I rarely encounter any Steam protocol URLs but it's still a security bug that should be squashed.  
Avatar 51617
 
Playing: Dragon Age Inquisition, Far Cry 4, This War of Mine
Watching: The Walking Dead, The Fall, As Above So Below
Reply Quote Edit Delete Report
 
69 Replies. 4 pages. Viewing page 4.
< Newer [ 1 2 3 4 ] Older >


footer

Blue's News logo