• Hey Guest. Check out your NeoGAF Wrapped 2025 results here!

Heads up: SteamID Spoofing on every Steam product, and more

https://www.reddit.com/r/Steam/comments/46px2w/psa_steamid_spoofing_on_every_steam_product_and/

Short version: If you join any source engine server your PC might be compromised or your steamid stolen& few other exploits.

Not too long ago I've reported 8 exploits involving steam & source engine games. CSGO is affected too. ("2 affect all multiplayer steam games, the rest affect all source engine games" - this was taken from here)

As a proof of my report not being a lie, I've recorded this video of the hardest to properly abuse exploit. If however more proof is needed, then feel free to ask, but I'm not going to release all of this to the public.

Alright, I added a new POC demonstrating a infection on join ( no one was harmed in the making of this video ) - because I feel like I wasn't taken seriously.

Poc1: https://www.youtube.com/watch?v=K-UXrmvjV04 executeable file automatically getting saved into my startup directory ( aka it would start upon reboot )

Poc2: https://www.youtube.com/watch?v=1oy7YN_fnns&feature=youtu.be another one of the file write everywhere exploits, notice how a bat file gets saved on my desktop:

The exploits involve: Bypassing cmd restrictions, a second method for bypassing cmd restrictions and being able to easily make it persist,

spoofing the friendsid, spoofing the steamid, a second method for spoofing the steamid ( unlike the first, this would affect all steam games and also make steam tell the server that you've successfully authenticated, even though you're just spoofing ). This spoofing affects all steam products.

I've also reported a way to force servers to spoof a higher playercount by sending 2 packets,

and the most dangerous ones: writing files on every client with any contents ANY location ( enough knowledge about encoding algorithms and a lot of fiddling around to write any contents though ), writing files everywhere with any contents, ANY location with a fairly easy method.

This essentially means that all clients are at risk and could be infected with a virus by simply joining a server.

However, since my report didn't get any E-Mail reply yet, I'm hereby warning the players.

Edit: I might wanna add, 4 of these could've been prevented if valve would've fixed the issues behind previous severe exploits, instead of just the exploits themselfs. I saw one of the exploits being abused prior to my report and PSA, so some other people might have knowledge about stuff like SteamID spoofing too.

edit: from the same guy

Valves official servers should be safe, since they don't have any admin mod.
 
Wait, it says they submitted this to Valve today and then complains that it hasn't got any attention yet? Normally you should at least wait a few weeks/months before going public with something like this.
 
they guy sent the report into valve and then immediately posted it on reddit? bad form, the less people that are searching how to do this exploit the better

if we get fucked from this, blame that redditor
 
Wait, it says they submitted this to Valve today and then complains that it hasn't got any attention yet? Normally you should at least wait a few weeks/months before going public with something like this.

Yeah, he didn't even say this in the FP post. And looks like he edited it out from the reddit OP after people called him out.
 
Wait, it says they submitted this to Valve today and then complains that it hasn't got any attention yet? Normally you should at least wait a few weeks/months before going public with something like this.
A few days at least. He just opened up a can of worms.
 
Wait, it says they submitted this to Valve today and then complains that it hasn't got any attention yet? Normally you should at least wait a few weeks/months before going public with something like this.

Yup. If you report something you should at least give people on the other side time to verify and fix the issues reported.

Waiting only a day for response is foolish.
 
Wait, it says they submitted this to Valve today and then complains that it hasn't got any attention yet? Normally you should at least wait a few weeks/months before going public with something like this.

they guy sent the report into valve and then immediately posted it on reddit? bad form, the less people that are searching how to do this exploit the better

if we get fucked from this, blame that redditor

Jeez I had assumed he'd given Valve say, a week, not like 10 minutes :\

Bad form mate, guess i'll keep playing MGO till this blows over :\

A few days at least. He just opened up a can of worms.

OP seems to have buried the lede, in that the Steam ID spoofing isn't the big exploit. Downloading arbitrary code is.

Something like that, I would argue, should be noticed publicly ASAP. If one person can exploit it, so can others.

Better to spread the word wide so that people can avoid the risk, rather than let people be exposed for a month or two while a fix is worked on in the background.
 
Wait, it says they submitted this to Valve today and then complains that it hasn't got any attention yet? Normally you should at least wait a few weeks/months before going public with something like this.
Honestly, I think he might have did the right thing. Now Valve is forced to fix this instead of pretending like nothing is happening.
 
writing files on every client with any contents ANY location ( enough knowledge about encoding algorithms and a lot of fiddling around to write any contents though ), writing files everywhere with any contents, ANY location with a fairly easy method.
Hahahaha, oh wow. Yeah there is no sense in waiting for a Valve-time fix for this.
 
Yes, clearly Valve are blameless

Well, yes. This is obviously an exploit they don't mean to be in the system. The timing is too short for Valve to respond, let alone patch up. Most big companies might take several weeks to work on a problem depending on the scope of the issue, and usually work in tandem with the group who discovered the exploit if they're not immediately blurting it out for the world to see/take advantage of.

Onto the subject of the actual exploit, am I understanding that only games using Source servers are a problem? Or is there a problem in the way you'd connect to Steam to download games? For example: Is Warframe, which uses Steam mostly as a launcher, a problem? His wording isn't very clear.
 
Something like that, I would argue, should be noticed publicly ASAP. If one person can exploit it, so can others.

Then why haven't they until now?

No. Responsible practice is to give the reportee time to acknowledge the issue. Only if nothing is done after some time, then it is worthwhile to go public with it.
 
dunno if it's related but somebody from cambodia hacked my password the other day. scared the shit out of me... easily over 200 games on there, something i never thought about until then

made me feel shitty about raging over email verification all the time
 
Bad form mate, guess i'll keep playing MGO till this blows over :\

" ("2 affect all multiplayer steam games, the rest affect all source engine games" - this was taken from here)"

If MGO uses Steamworks, it's also affected given you have to go through Steam's master server to propagate the host/server information.
 
" ("2 affect all multiplayer steam games, the rest affect all source engine games" - this was taken from here)"

If MGO uses Steamworks, it's also affected given you have to go through Steam's master server to propagate the host/server information.
Oh. Well shit I read that wrong.
 
Yes, clearly Valve are blameless

They literally have channels exactly for this type of reporting, which is the actual point of the poster "going public".

This is the right way to do it. Random people don't have direct lines to Valve, so it needs broad attention.

http://www.valvesoftware.com/security/

Valve's security philosophy
We recognize how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.

Security includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.

Reporting security issues
Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud and account abuse issues.

If you have discovered a vulnerability in Steam and/or a Valve product or have a security incident to report, email security@valvesoftware.com. Upon receipt of your message we will acknowledge your report. If you feel the need, please use our public key to encrypt your communications with us.

We believe in responsible security disclosure practices. In accordance with this we appreciate reporters privately notifying us of vulnerabilities and setting reasonable time frames for response and disclosure based on the severity of the issue. We believe this method provides the most secure environment for Steam users and the Internet at large.

We will respond as soon as we can to fix verifiable security issues. When notified of legitimate issues, we will acknowledge your report, begin investigating the issue and will work to correct any vulnerabilities quickly.
 
This is the right way to do it. Random people don't have direct lines to Valve, so it needs broad attention.

Yeah, so everyone can setup shady servers. Good times.

Not everyone reads Reddit gaming sites and if you don't give Valve a chance to fix it before letting the world know, a lot of extra people are going to get fucked up that didn't have to.
 
Regardless of the lack of responsible disclosure, this is the third large Steam vulnerability in how long?

All the big tech companies have been having security issues lately, but Valve is really something else.
 
Well, yes. This is obviously an exploit they don't mean to be in the system. The timing is too short for Valve to respond, let alone patch up. Most big companies might take several weeks to work on a problem depending on the scope of the issue, and usually work in tandem with the group who discovered the exploit if they're not immediately blurting it out for the world to see/take advantage of.

So despite it being their responsibility to ensure the security of their service they arent to blame for vulnerabilities in it? Vulnerabilities which are remainders from the sloppy job they did fixing earlier vulnerabilities? Always amusing to see the mental gymnastics people will engage in to defend Valve. Regardless of how responsible or not this disclosure was, and after all a random reddit poster has no actual responsibility to Steam users, if you get "fucked" by it then its on Valve and the person doing the metaphorical fucking. Not some guy who gave you (and potentially your..rapist?..this sex metaphor has gone too far) a heads up
 
So despite it being their responsibility to ensure the security of their service they arent to blame for vulnerabilities in it? Vulnerabilities which are remainders from the sloppy job they did fixing earlier vulnerabilities? Always amusing to see the mental gymnastics people will engage in to defend Valve.

It is nowhere as amusing as the mental gymnastics people will engage in to somehow see blame in this scenario as mutually exclusive, or besides completely disparate points being made.
 
This would never happen in the Windows 10 UWP and Microsoft Cloud server ecosystem!

Joke post? There are security vulnerabilities in almost all pieces of software, Microsoft is no exception. Microsoft has a vulnerability reporting system the same as many other large companies. Some, such as Facebook, even offer monetary rewards for bug/vulnerability reporting based on severity. Some people make a solid living off security research and bug reporting.

Edit: Microsoft Bug Bounty: https://technet.microsoft.com/en-us/library/dn425036.aspx
Facebook Bug Bounty: https://www.facebook.com/BugBounty/
Google: https://www.google.ca/about/appsecurity/reward-program/
 
This is the right way to do it. Random people don't have direct lines to Valve, so it needs broad attention.

This is the worst possible way of doing it.
Responsible exploit disclosure is almost always;
1) Direct contact with the vendor
2) If action is not taken within a reasonable timeframe (which is at least a matter of days measured in working days), high level principles of the exploit are disclosed to things like Bugtraq mailing lists, and again a reasonable amount of time is given for the companies responsible to respond

Full public disclosure is a means of last resort, not first step to efamy and reddit upvotes
 
If this is all legit, this is a world class issue. Good thing Valve doesn't make games anymore. Hyperbole, but I haven't played a source engine MP game in years...

Still, absolutely, absolutely needs to be fixed if legit. But the way Valve handles security... It's scary because in 5 or 10 years I'm concerned how bad Steam security might get in general...
 
On a Saturday. Do they even work Saturdays?

They earn millions of dollars over the weekends with sales. They have people on staff for the weekends. I'm sure the security@ emails wind up being checked on more than one person's cellphone during off hours.
 
dunno if it's related but somebody from cambodia hacked my password the other day. scared the shit out of me... easily over 200 games on there, something i never thought about until then

made me feel shitty about raging over email verification all the time

That's one reason why I love physical. The thought of having all my games tied to one account drives me insane as my library gets larger. Digital enthusiasts say it's nothing to worry about and it won't happen to them... until it happens to them. Sorry that happened to you, Bro. What happened next? Did he get in your account or did you have 2 step authentication?
 
Top Bottom