Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:
Chicago, IL 11/17

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

Email Digg Facebook Twitter   Share More    


 

   Current Headlines
Spintires: MudRunner Announced
Secret World Legends: Tokyo: Back to the Beginning Launches
Sword Art Online: Fatal Bullet Announced
StarCraft II Multiplayer Major Change Plans
JCB Pioneer: Mars Early Access This Month
Hyper Universe Early Access Next Week
Absolver Multiplayer Details and Content Plans
Ni no Kuni II: Revenant Kingdom Trailer
Morning Patches
Morning Consolidation
Morning Mobilization
Morning Metaverse
Morning Tech Bits
Morning Safety Dance
Morning Legal Briefs
Game Reviews
Hardware Reviews
Out of the Blue
Quake Champions Early Access Next Week
DUSK Episode One Released
  

 




Blue's News is a participant in Amazon Associates programs
and earns advertising fees by linking to Amazon.



footer

Blue's News logo