If There’s a Security Flaw in Steam, But Valve Refuses to Acknowledge It…

Does it still make a noise? You bet. Researcher publishes second Steam zero day after getting banned on Valve’s bug bounty program.

So a security researcher finds an Escalation of Privilege/Local Privilege Escalation bug in Steam, the gaming engine from Valve. He reports it. They say it isn’t a problem. When he tries to make the report public (Valve just said it isn’t a problem) they lock the report, and when he reports it anyway they ban him from the bug-bounty program. And they (try to) fix the problem. (Turns out their fix needs a fix.)

SO when the original security researcher found a 2nd zero-day exploit, he was banned from the bug-bounty program, so he just turned it lose on the world.

EoP/LPE vulnerabilities can’t allow a threat actor to hack a remote app or computer. They are vulnerabilities abused during post-exploitation, mostly so attackers can take full control over a target by gaining root/admin/system rights.

While Valve doesn’t consider these as security flaws, everyone else does. For example, Microsoft patches tens of EoP/LPE flaws each month, and OWASP considers EoP/LPE as the fifth most dangerous security flaw in its infamous Top 10 Vulnerabilities list.

So now the guy is banned, and he is banging on Steam anyway. Way. To. Go.

Furthermore, a well-known and highly respected security researcher named Matt Nelson also revealed he found the same exact bug, but after Kravets, which he too reported to Valve’s HackerOne program, only to go through a similar bad experience as Kravets.

Nelson said Valve and HackerOne took five days to acknowledge the bug, refused to patch it, and then locked the bug report when Nelson wanted to disclose the bug publicly and warn users.

Nelson later released proof-of-concept code for the first Steam zero-day, and also criticized Valve and HackerOne for their abysmall handling of his bug report.

One thought on “If There’s a Security Flaw in Steam, But Valve Refuses to Acknowledge It…

Comments are closed.