Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty

A security bod angry at Valve’s handling of bug reports has released a zero-day vulnerability affecting the games giant’s flagship Steam app.

Russia-based bug hunter Vasily Kravets said that he was releasing details of the flaw, an elevation of privilege error, after a series of poor interactions with Valve and HackerOne led to him getting banned from the Valve bug bounty program.

The way Kravets tells is (Valve did not respond to a request for comment), the whole saga started earlier this month when he went to report a separate elevation of privilege flaw in Steam Client, the software gamers use to purchase and run games from the games service.

Valve declined to recognize and pay out for the bug, which they said required local access and the ability to drop files on the target machine in order to run and was therefore not really a vulnerability.

“I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence,” Kravets wrote. “Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though).”

Now, some two weeks later, Kravets has discovered and disclosed a second elevation of privilege flaw. Like the first, this vulnerability this flaw (a DLL loading vulnerability) would require the attacker to have access to the target’s machine and the ability to write files locally.

Guy pwning scrubs in video game on PC

Get rekt: Two years in clink for game-busting DDoS brat DerpTrolling

READ MORE

If those requirements are met, Kravets said, the attacker could get the Steam app to load and execute malicious DLL files, potentially giving an even greater control over the system and allowing the attacker to further download and install all sorts of malware on the target PC.

While neither flaw would be considered a ‘critical’ risk as they each require the attacker to already have access to the target machine (if that’s the case you’re already in serious trouble, so what’s another flaw), Kravets argues that since it is a marketplace for third-party code, Steam in particular would be an attractive target with an elevated risk from EoP flaws.

“It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges,” the bug-hunter notes. “Are you sure that a free game made of garbage by an unknown developer will behave honestly?” ®