Valve Rushes To Patch XSS Flaw In Steam

A major cross-site scripting (XSS) flaw has been found on online gaming platform Steam, which if exploited would have allowed hackers to hide malicious code in their Steam profiles which would be executed when visited by another user.

Highlighted by a moderator on Steam’s official Reddit page and brought to light by an Australian programmer and developer known as Cra0kalo, the flaw could be exploited by malicious hackers, who could then redirect people on their profile to a phishing website or web page loaded with malware.

Steam leak

Valve the gaming giant behind Steam rushed to patch the flaw and prevent XSS code injection-based attacks from being carried out on its platform.

Had this not been fixed the flaw could allow for all manner of havoc to be caused on Steam, including giving hackers the ability to perform actions on a compromised Steam account without needed to beat security measures such as reconfirming passwords when a new login is detected.

Valve’s response to patching the security hole within hours was commendable, but the company will no doubts be licking its wounds over the damage the discovery of such a security hold can do for its reputation. Gamers on PCs are fairly tech savvy people and will no doubts not be impressed to hear that another major security flaw has was lurking on Steam.

As the flaw has been around for a while, there is a risk that keen Steam gamers who often view the profiles of those they play or network with, may have had been the victims of hackers exploiting the XSS vulnerability. However, if they spot odd things happening on their account then that is a tell-tale sign that they may have had their Steam credentials compromised.

Daniel Miessler, director of Advisory Services at ethical hacking firm, IOActive, noted that exploiting security flaws in gaming platforms and find ways to crack into them is something very much on the agenda of hackers.

“For decades, video games have been considered toys, but that’s now changing. Video games have become mainstream, and along with that popularity has come insecurity,” he said in a statement to Silicon.

“The XSS attack against Steam is an oldie but goodie, known as persistent XSS. It’s called persistent because the attacker makes a change to something relatively static, like a profile, and then anyone who visits that page gets the payload. This is the same type of attack that took down MySpace back in the day.”

Security issues have sucker punched Valve before, particularly on Christmas Day 2015, when Steam had suffered security issues that saw the platform showing the secured data of some users to others.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago