Valve Rushes To Patch XSS Flaw In Steam

A major cross-site scripting (XSS) flaw has been found on online gaming platform Steam, which if exploited would have allowed hackers to hide malicious code in their Steam profiles which would be executed when visited by another user.

Highlighted by a moderator on Steam’s official Reddit page and brought to light by an Australian programmer and developer known as Cra0kalo, the flaw could be exploited by malicious hackers, who could then redirect people on their profile to a phishing website or web page loaded with malware.

Steam leak

Valve the gaming giant behind Steam rushed to patch the flaw and prevent XSS code injection-based attacks from being carried out on its platform.

Had this not been fixed the flaw could allow for all manner of havoc to be caused on Steam, including giving hackers the ability to perform actions on a compromised Steam account without needed to beat security measures such as reconfirming passwords when a new login is detected.

Valve’s response to patching the security hole within hours was commendable, but the company will no doubts be licking its wounds over the damage the discovery of such a security hold can do for its reputation. Gamers on PCs are fairly tech savvy people and will no doubts not be impressed to hear that another major security flaw has was lurking on Steam.

As the flaw has been around for a while, there is a risk that keen Steam gamers who often view the profiles of those they play or network with, may have had been the victims of hackers exploiting the XSS vulnerability. However, if they spot odd things happening on their account then that is a tell-tale sign that they may have had their Steam credentials compromised.

Daniel Miessler, director of Advisory Services at ethical hacking firm, IOActive, noted that exploiting security flaws in gaming platforms and find ways to crack into them is something very much on the agenda of hackers.

“For decades, video games have been considered toys, but that’s now changing. Video games have become mainstream, and along with that popularity has come insecurity,” he said in a statement to Silicon.

“The XSS attack against Steam is an oldie but goodie, known as persistent XSS. It’s called persistent because the attacker makes a change to something relatively static, like a profile, and then anyone who visits that page gets the payload. This is the same type of attack that took down MySpace back in the day.”

Security issues have sucker punched Valve before, particularly on Christmas Day 2015, when Steam had suffered security issues that saw the platform showing the secured data of some users to others.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago