Scrobbs

Steam client vulnerability released

Recommended Posts

https://www.upsploit.com/index.php/advisories/view/UPS-2011-0019

Works for all client versions and steampowered.com. Pretty fundamental flaw in that it uses a static session token. Workarounds: don't store CC data server-side, change passwords often and don't access it on public networks.

The guy told them about 4 months ago, they've consistently ignored him so he has released to force their hand.

Share this post


Link to post
Share on other sites
https://www.upsploit.com/index.php/advisories/view/UPS-2011-0019Pretty fundamental flaw in that it uses a static session token.

That's bad.

Does Steam do anything through HTTPS? Twitter and Facebook now offer the option for everything to be done through HTTPS, so even though cookies are still in use, no one on a public network can sniff them out and steal them. I would feel more comfortable if Steam did this, too.

In related news, thank you all for buying me three hundred copies of Portal 2.

Share this post


Link to post
Share on other sites

Changing your password wouldn't fix this, as your session token wouldn't change, right?

In layman's terms, if someone got your cookie, they could order you a buttload of games.

Share this post


Link to post
Share on other sites
Changing your password wouldn't fix this, as your session token wouldn't change, right?

In layman's terms, if someone got your cookie, they could order you a buttload of games.

Or gift it. Or, abuse your account and get VAC banned.

Share this post


Link to post
Share on other sites
Or gift it. Or, abuse your account and get VAC banned.

Is this correct? Because surely the client doesn't use a browser cookie to verify online play?

Changing your password forces the system to give you a new session token.

Ah, good to know.

Share this post


Link to post
Share on other sites

The client won't use a session ID to verify online play, rather it is used to authenticate your steam client session- i.e. When you start the client and login. For example, if someone managed to grab your session ID, it would act in lieu of password authentication for your account, so the evil client would effectively be masquerading as you. If your CC details were stored server-side, the evil client would then be able to just buy games etc. as you. That's how I imagine it would work. As regards cheating, if evil client started an aimbot, then it would still be linked to your account. This last is hypothesis, not tried it, but an assumption.

Edited by Scrobbs

Share this post


Link to post
Share on other sites

This is a pretty fundamental flaw. It's strange that it's been unnoticed for years.

Share this post


Link to post
Share on other sites

It's extremely unlikely that they'll be able to get your password just by having your session id, there's not much point changing your password unless it's just to brute force a new session id. Though I imagine you could accomplish the same thing just by signing out of the system.

I'm not sure if you can use the session id without spoofing some other headers to simulate the exact machine you're accessing steam from either. If you have a verified email, steam won't let you log in without responding to a token challenge when you use a new machine.

Not storing your CC on the site is a good idea though, as the most damage someone could probably do with this information is buy games via gifts.

The guy told them about 4 months ago, they've consistently ignored him so he has released to force their hand.
Fuck everything about this. I seriously doubt this guy contacted them in a meaningful way and they ignored him. I could see it getting lost in the bureaucracy of a massive publisher like EA, Activision or Ubisoft, but not Valve. If he did his part and actually reached out to them, it's most likely something they're actually working on. Back room hackers may not understand this concept, but 4 months is not exactly a long time to turn around on major enterprise architecture overhaul, especially when you're spending most of that time crunching on releasing a game on 4 platforms.

There's a difference between a gaping security hole, and weak security decisions. This guy may think it's something worth hot fixing immediately, but it's probably not something they can fix overnight, and it's not likely the most important thing in their queue.

disclaimer: i have not read that guys site, as I wouldn't touch a hackers personal site with a 10-foot clown pole

Share this post


Link to post
Share on other sites
Fuck everything about this. I seriously doubt this guy contacted them in a meaningful way and they ignored him. I could see it getting lost in the bureaucracy of a massive publisher like EA, Activision or Ubisoft, but not Valve. If he did his part and actually reached out to them, it's most likely something they're actually working on. Back room hackers may not understand this concept, but 4 months is not exactly a long time to turn around on major enterprise architecture overhaul, especially when you're spending most of that time crunching on releasing a game on 4 platforms.

There's a difference between a gaping security hole, and weak security decisions. This guy may think it's something worth hot fixing immediately, but it's probably not something they can fix overnight, and it's not likely the most important thing in their queue.

disclaimer: i have not read that guys site, as I wouldn't touch a hackers personal site with a 10-foot clown pole

You sure get touchy about those Valves I've noticed.

Share this post


Link to post
Share on other sites

That's the point: when you sign out, the session ID is not destroyed. The only time it changes is when you change your password: this is piss poor in anyone's book. If you have the session ID (in this case with steam) you don't need anything else - the system assumes that if the client session ID matches what the server thinks it should be, that's all it needs. Session management if done correctly means that new session ID is issued every time you log off, close the window, expires if you refresh the page etc.

As for the advisories he's sent them, as far as I'm concerned, I'm satisfied that he's of the white hat variety, and trust him when he says he's told them multiple times with zero feedback.

Regarding the disclosure, that's a 100+ year argument that was solved 100+ years ago (to my mind) by the locksmith trade, but applies equally to computer security. One I happen to fully agree with. http://en.m.wikipedia.org/wiki/Full_disclosure

Your ire is mis-directed imo.

Share this post


Link to post
Share on other sites

Part of this would be easily solved by asking the user to enter their password whenever they bought something, but that would also mean their sales would take a hit...

Share this post


Link to post
Share on other sites
That's the point: when you sign out, the session ID is not destroyed. The only time it changes is when you change your password: this is piss poor in anyone's book. If you have the session ID (in this case with steam) you don't need anything else - the system assumes that if the client session ID matches what the server thinks it should be, that's all it needs. Session management if done correctly means that new session ID is issued every time you log off, close the window, expires if you refresh the page etc.

As for the advisories he's sent them, as far as I'm concerned, I'm satisfied that he's of the white hat variety, and trust him when he says he's told them multiple times with zero feedback.

Regarding the disclosure, that's a 100+ year argument that was solved 100+ years ago (to my mind) by the locksmith trade, but applies equally to computer security. One I happen to fully agree with. http://en.m.wikipedia.org/wiki/Full_disclosure

Your ire is mis-directed imo.

We're talking about a company who's executives frequently respond to user spam directed to their publicly published email addresses. I just don't see the zero feedback for white hat activity claim. I also don't think that publishing a weakness like this solves anything, other than gets him credit for what he's discovered. What's the difference between leaking it now, or waiting for someone malicious to come along and start exploiting it?

And I'm defending Valve because they're probably the most ethical company in this industry, and one of the only ones that believes in consumer rights. Hackers have a pretty bad track record of just tightening the restrictions companies put on legitimate customers.

Share this post


Link to post
Share on other sites

Well, publishing it, as per 'Full disclosure' allows you and me to protect ourselves against the potential attack. Now you know about not storing your CC details server-side. I don't think I did anyway, but if I did I certainly wouldn't any more. That's it's value.

Any patch will take time to release - meanwhile it could be exploited by black hats who had found out about it and not told valve, merely using it for their own ends. Hell, it might have been exploited for years already.

Share this post


Link to post
Share on other sites

They seem to have got rid of any options whatsoever for deleting stored payment information. Web and client :/

Much as I like Valve and Steam, that actually sucks balls. It's pretty shitty to not give users control over that and assume the data will never be breached.

Share this post


Link to post
Share on other sites

I am absolutely an advocate of full disclosure and believe this guy deserves no flak whatsoever for revealing this.

I'd rather know the vulnerability exists so I can make as sure as possible I minimise my own exposure to its effects before black hat assholes figure it out, and the fact it's now out there in the wild will make Valve prioritise its resolution. Don't give a shit how fixing it might slot into their overall agenda and management — it needs sorting out yesterday.

If one of our sites is hacked we don't sit around with our fingers in our asses working on our usual project schedule; those other things unfortunately have to get delayed momentarily.

Share this post


Link to post
Share on other sites

Yeah, sorry Forbin but have to agree that this would take priority. I mean, if some one drops and breaks a glass bottle in a shop you don't carry on serving customers, due to the health and safety requirements you have to deal with the problem first before you can go back to making a profit.

Share this post


Link to post
Share on other sites

Yup, I'm glad that I now know about this. Will delete my credit card details immediately.

Also, I guess this is the reason why I'm now getting these emails:

We've received a request to access your Steam account from a new computer

or web browser.

To complete this process, enter the following special access code into the

authorization dialog before trying to log in again:

Share this post


Link to post
Share on other sites
I am absolutely an advocate of full disclosure and believe this guy deserves no flak whatsoever for revealing this.

:tup::tup::tup:

As for them being the "most ethical company"... that's like saying they're the least smelly pile of dung. (Did you miss my point above your post?)

Share this post


Link to post
Share on other sites
Wouldn't the recently implemented machine verification prevent this from working?

only partially; it only prevents steam client authentication

Share this post


Link to post
Share on other sites
:tup::tup::tup:

As for them being the "most ethical company"... that's like saying they're the least smelly pile of dung. (Did you miss my point above your post?)

Not sure how it was related. And as CaptainFish points out, Steam guard essentially does this whenever you try to use steam from a new device.

Also, I give Valve a lot more credit than simply being the best of the worst. They're one of the only companies that not only believes that treating customers well generates business, but it drives their business decisions as well.

I still believe that this guy was more concerned with getting credit for his 1337 skillz than actually addressing any security problem.

What is the real risk here anyways? If someone managed to brute force your session id, and you failed to protect your account with Steam Guard, they'd be able to go to purchase a game as a gift and see your billing address. They wouldn't see your credit card, just the last 4 digits. The most damage they could do is get you VAC banned or purchase games on your account. Which would suck, but could also be fixed by the Steam billing department.

They do need to make it more convenient to clear out your credit card information. If not for this reason, then at least for all the mom's out there that want to buy things for their kids without giving them a blank cheque.

I'm still not on the bandwagon with full transparency for everything. I am grateful for white hat hackers that spend their free time helping make services I use more secure, but I don't feel like everything is better when it's exposed. And I believe that people have the right to do anything with hardware they purchase, and that the laws should re-enforce those ownership rights.

But I can thank GeoHot for having Sony remove Linux support from my PS3. Then later having it bricked by a mandatory firmware update meant to plug holes exposed by hackers. Yeah Sony is mostly responsible, but I was an innocent bystander in a fight between entitled teenagers and out of touch executives. And if people didn't feel the need to hack everything publicly, legitimate consumers would have way less bullshit to put up with.

And we can thank entitled hackers for scaring publishers from the PC onto DRM ridden consoles. As much as people can assert(rightly) that 1 pirated game does not equal 1 lost sale, it doesn't matter because the hacking community poisoned the well.

So if someone goes public with some hacking they've done, it's an uphill battle for me. I'm more impressed when someone makes something with their time instead of breaking someone else's work. I see QA people break shit all day.

Share this post


Link to post
Share on other sites
only partially; it only prevents steam client authentication
*Emphasis for how I read this.

I never use the website for purchases at all, if that's what you mean by partially.

Is the cookie the same for both, since the client is just a glorified browser in some ways?

Share this post


Link to post
Share on other sites

It's not only steam client though, it challenges new browsers accessing the steam site as well.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now