• Ping Us
  • Our Team
  • About Us
Thursday, May 22, 2025
Digitalys Mag
  • Home
  • Cybersecurity
  • Technology
  • Events
    • All
    • Conferences
    • Pop Culture
    National Cyber Security Congress 2.0

    National Cyber Security Congress 2.0

    Ryujin’Con 0: Videos + Article

    Ryujin’Con 0: Videos + Article

    Banzai 2018: Video + Review

    Banzai 2018: Video + Review

    Comic Con Tunisia 2018

    Comic Con Tunisia 2018

    Calendrier culturel de l’été 2018 – updated

    Calendrier culturel de l’été 2018 – updated

    [Securiday 2018] End User Protection

    [Securiday 2018] End User Protection

    • Conferences
    • Pop Culture
  • Entertainment
    • All
    • Gaming
    • Manga/Anime/comics
    • Movies / Series
    Koei Tecmo Victim of  DataBreach

    Koei Tecmo Victim of DataBreach

    Détective Conan : les épisodes de l’histoire principale triées [part 1]

    Détective Conan : les épisodes de l’histoire principale triées [part 3]

    Epic Games Store down due to Free Grand Theft Auto V offer

    Epic Games Store down due to Free Grand Theft Auto V offer

    Steam Security Saga: 0-Days, patches and researchers debates

    Steam Security Saga: 0-Days, patches and researchers debates

    [Warning] Une faille critique dans tous les jeux Blizzard permettra aux Hackers de détourner des millions de PC

    [Warning] Une faille critique dans tous les jeux Blizzard permettra aux Hackers de détourner des millions de PC

    Le clavier MantisTek GK2 pour gamers contient un KEYLOGGER!!!

    Le clavier MantisTek GK2 pour gamers contient un KEYLOGGER!!!

    • Manga/Anime/comics
    • Movies / Series
    • Gaming
  • LifeStyle
  • Funny
  • Vlogs
No Result
View All Result
Digitalys Mag
  • Home
  • Cybersecurity
  • Technology
  • Events
    • All
    • Conferences
    • Pop Culture
    National Cyber Security Congress 2.0

    National Cyber Security Congress 2.0

    Ryujin’Con 0: Videos + Article

    Ryujin’Con 0: Videos + Article

    Banzai 2018: Video + Review

    Banzai 2018: Video + Review

    Comic Con Tunisia 2018

    Comic Con Tunisia 2018

    Calendrier culturel de l’été 2018 – updated

    Calendrier culturel de l’été 2018 – updated

    [Securiday 2018] End User Protection

    [Securiday 2018] End User Protection

    • Conferences
    • Pop Culture
  • Entertainment
    • All
    • Gaming
    • Manga/Anime/comics
    • Movies / Series
    Koei Tecmo Victim of  DataBreach

    Koei Tecmo Victim of DataBreach

    Détective Conan : les épisodes de l’histoire principale triées [part 1]

    Détective Conan : les épisodes de l’histoire principale triées [part 3]

    Epic Games Store down due to Free Grand Theft Auto V offer

    Epic Games Store down due to Free Grand Theft Auto V offer

    Steam Security Saga: 0-Days, patches and researchers debates

    Steam Security Saga: 0-Days, patches and researchers debates

    [Warning] Une faille critique dans tous les jeux Blizzard permettra aux Hackers de détourner des millions de PC

    [Warning] Une faille critique dans tous les jeux Blizzard permettra aux Hackers de détourner des millions de PC

    Le clavier MantisTek GK2 pour gamers contient un KEYLOGGER!!!

    Le clavier MantisTek GK2 pour gamers contient un KEYLOGGER!!!

    • Manga/Anime/comics
    • Movies / Series
    • Gaming
  • LifeStyle
  • Funny
  • Vlogs
No Result
View All Result
Digitalys Mag
No Result
View All Result

Steam Security Saga: 0-Days, patches and researchers debates

Alyssa Berriche by Alyssa Berriche
26 August 2019
5 min read
Steam Security Saga: 0-Days, patches and researchers debates
309
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Over the past three weeks, Steam, the popular game distribution platform, was facing a lot of criticism from the cyber-security community regarding their Bug Bounty policies.

It started with a responsible submission of zero-day vulnerability affecting Steam client to  Valve’s bug bounty program on HackerOne.

The vulnerability was a local privilege escalation (LPE), tracked as CVE-2019-14743 , affecting the Steam client for Windows and that can allow an attacker with limited permissions to run a program as an administrator. With Steam having over 100 million registered users and millions of them playing at a time, this is a serious risk that could be abused by malware to perform a variety of unwanted activities.

However, Valve determined that the flaw was “Not Applicable” and the company chose not award a bug bounty or give an indication that they would fix it, and told the researchers that they were not allowed to disclose it.

Security researchers, who both recently discovered the same vulnerability and were told that Valve would not be fixing it because it was “out of scope” of their vulnerability reporting program, decided to publicly disclose it.

As result Vasily Kravets disclosed the vulnerability in a write up, and the second researcher named Matt Nelson  decided to show how the vulnerability could be exploited and published a proof-of-concept PoC where he gets a command prompt window running with SYSTEM account privileges, the highest for a user on Windows.

 

Here is a 0day in Steam. This bug has been publicly disclosed (https://t.co/yQxqJUi9P3), so I’m opening up my PoC. No blog post since @PsiDragon covered it nicely. https://t.co/it7wAZbnF2

— Matt Nelson (@enigma0x3) August 7, 2019

 
After the massive outcry generated by this decision, Valve has changed its mind and released a fix. Unfortunately, though, another similarly reported vulnerability still exists.

While Valve may have fixed this one particular vulnerability (CVE-2019-15315) in the “Steam Client Service”, researchers still say that this was not a complete fix, though, and could be easily bypassed; this happened on August 15, when Twitter user Xiaoyin Liu posted that they had found a way around the fix.

 

I found a way to bypass the fix. The bypass requires dropping a file in a nonadmin-writable location, so I think it’s out-of-scope for Valve. Write-up: https://t.co/Lalum8LTvY cc @PsiDragon @enigma0x3 @steam_games #infosec #steam #bugbounty https://t.co/qIylEG7u2L

— Xiaoyin Liu (@general_nfs) August 15, 2019


 
Come August 20, Kravets tweets that he discovered another LPE (CVE-2019-15316) in the Steam client for Windows, but he could not report it because, after publishing his previous zero-day, he had been banned from Valve’s HackerOne bug bounty program.

Seeing that this vulnerability impacts only the Steam Windows client, with Steam having over 100 million registered users and 96.28% of them are running Windows according to the Steam Hardware & Software Survey: July 2019, the systems of roughly 96 millions of them are currently affected.

 

Valve banned me on their H1 program.
So…
I release new #ZeroDay #PublicDisclosure EoP vulnerability at Steam.
Another #0day.
Rus – https://t.co/jAoq5kCTfF
Eng – https://t.co/FfGXltXmpX

— Felix aka [xi-tauw] (@PsiDragon) August 20, 2019


 
It would appear that these reports and public disclosures determined Valve to change things for the better and release a beta update for the Windows version of Steam, which should patch the reported LPE vulnerabilities.

Valve also admitted their mistake to dismiss the bug reports and decided to update their HackerOne policy, to reflect that LPE vulnerabilities would now fall into the scope of its bug bounty program.

It remains to be seen how effective this new patch will be against the vulnerabilities, as Kravets tweeted that he would be waiting until the patch was released to the main client before testing.

 

https://t.co/WwHT7H8hcN
Valve is patching something. I’ll wait for main client update.

— Felix aka [xi-tauw] (@PsiDragon) August 22, 2019


 
It also remains to be seen if Kravets will be unbanned from Valve’s HackerOne program and compensated for his discoveries.

 

 

Interesting readings related to this story:

http://bleepingcomputer.com/news/security/steam-zero-day-vulnerability-affects-over-100-million-users/

https://www.bleepingcomputer.com/news/security/steam-security-vulnerability-fixed-researchers-dont-agree/

https://www.zdnet.com/article/researcher-publishes-second-steam-zero-day-after-getting-banned-on-valves-bug-bounty-program

https://www.bleepingcomputer.com/news/security/steam-security-saga-continues-with-vulnerability-fix-bypass/

https://www.bleepingcomputer.com/news/security/second-steam-zero-day-impacts-over-96-million-windows-users/

https://www.bleepingcomputer.com/news/security/steam-patches-lpe-vulnerabilities-in-beta-version-update/

https://www.zdnet.com/article/valve-patches-recent-steam-zero-days-calls-turning-away-researcher-a-mistake/

https://latesthackingnews.com/2019/08/25/valve-admit-their-mistakes-after-banning-researcher-on-the-hackerone-bug-bounty-platform/

 

Tags: bugbountygaminginfosecsteamvalvevulnerabilityzero-day
ShareTweetShareScan
Previous Post

Breach: Anime-Planet had 369k records breached in 2016

Next Post

CVE-2019-2234 vulnerabilities in Android Camera Apps

Alyssa Berriche

Alyssa Berriche

Cyber Threat Analyst & Security researcher. Founder and Technical Writer for DigitaLys-Mag

Related Posts

Cybersecurity

[Vulnerability] Zerologon – CVE-2020-1472 exploited in the wild

8 October 2020
National Cyber Security Congress 2.0
Conferences

National Cyber Security Congress 2.0

26 January 2020
Firefox users: Update your browser right now!
Cybersecurity

Firefox users: Update your browser right now!

10 January 2020
Next Post
CVE-2019-2234 vulnerabilities in Android Camera Apps

CVE-2019-2234 vulnerabilities in Android Camera Apps

Social Networks

  • 418 Fans
  • 141 Followers

Random Quote

I’m not alone because loneliness is always with me.

Instagram

Follow-us on Instagram
Facebook Twitter Instagram Youtube
logo-digi

  • 162
  • 656
  • 2,842
  • 10,672
  • 111,971
  • 616,708
SAM 0003
20160424 111053
20161211 094102
IMG 2551
IMG 2455
20180707 180112
20170415 151030
20161211 095050
20170708 162645
20180812 103844
20160430 114843
 MG 1099

© 2019 Digitalys Mag - Personal Blog & Magazine.

No Result
View All Result
  • Home
  • Cybersecurity
  • Technology
  • Events
    • Conferences
    • Pop Culture
  • Entertainment
    • Manga/Anime/comics
    • Movies / Series
    • Gaming
  • LifeStyle
  • Funny
  • Vlogs

© 2019 Digitalys Mag - Personal Blog & Magazine.

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In