Valve Rushes To Patch XSS Flaw In Steam

A major cross-site scripting (XSS) flaw has been found on online gaming platform Steam, which if exploited would have allowed hackers to hide malicious code in their Steam profiles which would be executed when visited by another user.

Highlighted by a moderator on Steam’s official Reddit page and brought to light by an Australian programmer and developer known as Cra0kalo, the flaw could be exploited by malicious hackers, who could then redirect people on their profile to a phishing website or web page loaded with malware.

Steam leak

Valve the gaming giant behind Steam rushed to patch the flaw and prevent XSS code injection-based attacks from being carried out on its platform.

Had this not been fixed the flaw could allow for all manner of havoc to be caused on Steam, including giving hackers the ability to perform actions on a compromised Steam account without needed to beat security measures such as reconfirming passwords when a new login is detected.

Valve’s response to patching the security hole within hours was commendable, but the company will no doubts be licking its wounds over the damage the discovery of such a security hold can do for its reputation. Gamers on PCs are fairly tech savvy people and will no doubts not be impressed to hear that another major security flaw has was lurking on Steam.

As the flaw has been around for a while, there is a risk that keen Steam gamers who often view the profiles of those they play or network with, may have had been the victims of hackers exploiting the XSS vulnerability. However, if they spot odd things happening on their account then that is a tell-tale sign that they may have had their Steam credentials compromised.

Daniel Miessler, director of Advisory Services at ethical hacking firm, IOActive, noted that exploiting security flaws in gaming platforms and find ways to crack into them is something very much on the agenda of hackers.

“For decades, video games have been considered toys, but that’s now changing. Video games have become mainstream, and along with that popularity has come insecurity,” he said in a statement to Silicon.

“The XSS attack against Steam is an oldie but goodie, known as persistent XSS. It’s called persistent because the attacker makes a change to something relatively static, like a profile, and then anyone who visits that page gets the payload. This is the same type of attack that took down MySpace back in the day.”

Security issues have sucker punched Valve before, particularly on Christmas Day 2015, when Steam had suffered security issues that saw the platform showing the secured data of some users to others.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

7 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago