Do You Use Steam? Here is How You Could Be Hacked.

12035-hacked_article

Hackers could have made off with millions by hacking Steam users.

You may really enjoy playing all the games you own (most of them probably bought during the sales season. Not that anything is wrong with that) on Steam and might not be able to give it all up for any cost.

Right?

Well, bad news then.

Because that kind of attachment to the hugely popular gaming platform is exactly the thing hackers along with other cyber criminals look for when they try to target an online user/users.

The two things hackers look for, when they want to hack someone, are routine and behavior.

When you spend all your time, or even just free time, on Steam and play games on it with your buddies on the weekends, that is exactly the kind of predictable behavior hackers and other cyber criminals are looking for.

They measure your activities and monitor the routes you take to get to your activities.

Then they set up traps and you, eventually, fall into them without giving it a second thought.

But of course, that’s how the world works.

You can’t live your life thinking about hackers and other cyber criminals trying to get to your machine in order to hack and steal your sensitive information and identity.

Life has to go on and one should spend most of it doing what he/she loves or likes (or whatever gets the bills paid).

Regardless. Hackers might have already pwned you with one of their favorite Steam bugs. The worst (or the worst part depending on your perspective) part is that you may not even know if you have been infected with the Steam bug.

Until problems start to arise that is.

How Did Hackers Get To Steam Users (Hypothetically Speaking) Without Alerting Anyone Else?

Well, that isn’t exactly news in the world of cybersecurity.

Most of the time hackers hack whatever they want to hack and destroy and then vanish from the scene without a trace.

After a while, law enforcement agencies stumble on the damage done by hackers and other cyber criminals to their organizations and institutions and then begin the investigative work.

But let’s put that aside for a minute and talk about how hackers could have infected steam users with a bug that was made specifically for Steam.

For clarity’s sake, we’re talking about how hackers could have infected a lot of steam users with a nasty bug that could have ruined their gaming experience.

If hackers had actually done the thing we’re going to describe in the following paragraphs, you probably would have lost a lot of your data on Steam.

In other words, the online world is an insecure place.

steam

The Steam bug was potentially a massive problem for users and moderators.

And hence hackers don’t have many obstacles if they want to bring chaos to any given institution or organization.

As far as Steam goes, hackers could have actually exploited a relatively unknown Steam exploit in order to hack Steam users.

The method?

Believe it or not, all that the hackers need to exploit any given Steam user a simple visit to a pre-configured user profile.

But how does that actually get them to hack someone?

We all know that Steam is the ultimate digital distribution platform with millions of users worldwide.

But what most of us don’t know that this ubiquitous gaming platform has a pretty simple, and common, bug.

A bug that can be, or rather could have been, exploited by hackers and other cyber criminals in order to, potentially, steal user accounts.

And that’s not even the worst part.

Well, maybe it is but consider the fact that this simple bug could have allowed hackers to actually buy items from the community market and that too involuntarily.

Hackers could also get Steam users to install their malware.

And we all know what happens when a malware infects a computer machine right?

Let’s just say that some really nasty things can happen if a malware infects your computer machine.

And therein lies the really worst part. Hackers could have easily gained control of the Steam user’s machine if they managed to exploit the Steam bug and got the user to visit a single user profile.

In fact, hackers (good ones, if there are any) along with other security researchers believe that the Steam bug could have been utilized by cyber criminals to create a kind of self-spreading cyber worm.

And that would have been a complete disaster since the likelihood of hackers actually coming to know of the bug as a potentially self-replicating one would have been extremely high.

However, you don’t need to get off Steam.

Not yet at least.

steamos

One wonders if SteamOS has similar vulnerabilities.

Why?

Because of the announcement made by Steam’s official operator Valve.

A couple of days ago Valve announced that it had finally fixed the potential Steam bug.

That is great news given the fact that there are about, or rather more than, 125 million active users on Steam per month.

These active users use the platform to buy all kinds of games and take part in community discussions to improve how the platform actually works.

And because the level of engagement is high, the exploit would have probably affected thousands of users, not to mention the entire company itself too.

It wouldn’t be too far-fetched an idea to ask Steam users to consider them extremely fortunate that a common, and simple, Steam bug was not exploited by hackers along with other cybercriminals to wreak havoc on their machines and on the online digital gaming distribution platform itself.

There Are Two Types Of Hackers

The first kind is the one we’re all familiar with. This is your run-of-the-mill sitting-in-a-dark-basement wearing-a-hood-jacket hacker that tries to hurt people and institutions for a paid sum of money.

Sometimes, these type of hackers also engage in these kinds of destructive activities for fun or to prove something. Nothing is off limits to them.

If they get the opportunity, they would gladly go ahead and hack the hell out of key internet infrastructures such as Google search engine, or Facebook (these type of hackers actually did hack into Yahoo and stole information that belonged to over a billion users on the site).

The other kind if the white hat hacker.

A white hat hacker is kind of a good guy.

White hat hackers have learned all of the skills of a bad hacker but use their hacking skills for the good of the community rather than use it to make money to rip people off.

One white hat hacker who had actually worked on the Steam platform (that is worked from the outside, not that he has a Steam employee or something) for quite some time and had actually managed to find quite a few bugs on the Steam system got in touch with a Motherboard reporter.

Being a hacker he asked the reporter to maintain his/her (we don’t really know) anonymity and then told the Motherboard reporter through the use of a direct message on Twitter that anyone who viewed a specially crafted profile was likely to get popped.

That is, anyone who viewed the user profile which was put up on Steam by hackers and other cyber criminals was likely to get infected and hence hacked.

The week though, various Steam users along with security researchers also noted that it was actually possible for hackers and other cybercriminals to inject malicious code (javascript based one) into a Steam user profile that, then, resided inside the “official” user profile page.

The code, which would eventually hack into a user’s Steam account and do malicious stuff with it, was written in a such a manner which would execute the moment some (more like any) Steam user visited that specific user profile page.

steam-machines

Representatives from Valve say everything is under control and fixed.

The more interesting part though is that the Steam user doesn’t even have to click something or press a button or anything.

The malicious code would start the work as soon as the Steam user “just” visited the page.

All of this has been made possible by the magic of Javascript of course.

The type of bug where a Steam user becomes the victim without clicking any of the elements that are present on the user’s profile page is known as a cross-site scripting vulnerability.

More commonly it goes by the name of XSS.

Moreover, this is the same bug that has caused problems for gaming platforms such as Steam for much of its history.

Jeremiah Grossman who works as a web security expert held a chat in which he said that phishing scams along with virus downloads were, in fact, possible, to say the least.

He further added that if hackers could gain control of user accounts using a single common bug then that was about as bad as a problem like XSS could realistically get.

Of course, if the history of malicious codes and other types of viruses is anything to go by then we know that things always turn out to be worse than expected.

In other words, any word from any web security expert should be taken with a grain of salt.

The Steam Bug Got Fixed Right?

For all practical purposes, the Steam bug did get fixed.

But does that automatically mean that all Steam users are safe and no damage was caused by hackers?

There is no telling as far as recent media reports go.

A spokesperson for Valve did make the announcement that the Steam bug did get fixed sometime on Tuesday (actually, he did give the time. It was noon.) but as we have alluded to before, there is no way to ascertain how much time hackers were given to potentially exploit the open door.

When the reporter from Motherboard reached out to Valve’s spokesperson for a comment on the issue, there was no response.

Let it be known that the bug was indeed nasty. It could have caused all sorts of problems.

The severity of the potential problems could be judged from the fact that the moderators who worked on Steam’s official subreddit told the site’s users to not visit user profiles of other Steam users.

This “refraining order” is a clear indication that the Steam bug was a little more than just a random annoyance.

The moderator on Steam’s subreddit page told users in a warning message that said that users should not click suspicious (regardless of the fact if they were real or not) Steam user profile links and should just go ahead and disable JavaScript on their browsers.

So XSS is one type of web bug which is common in its occurrence.

Despite that, it has the potential to wreak havoc, especially for Steam users.

At least that is what many white hat hackers along with security researchers have published in the media.

These are also the same type of people who did some digging around in the past ad found out several other types of bugs in Steam.

The Chief of Security Strategy at SentinelOne (a security firm) recently stated that if something like this (the potential Steam bug which got “fixed”) was ever found on platforms such as Google or even Facebook, it would have been considered as a high-severity issue without a doubt.

He also said that the Steam bug looked wormable in nature and would actually make Steam user accounts vulnerable to a possible takeover and if the victim of this Steam bug, the Steam user, visited the wrong type of user profile, it too could get infected.

Grossman also pointed out that no real safeguards were possible against this type of Steam bug.

Nothing Really Happened, What’s All The Fuss About?

That’s actually true.

There was no massive breakdown of Steam’s online distribution of digital media platform and Steam users did not get hijacked by hackers and cyber criminals.

It’s all theoretical talk.

But as the elders say, prevention is always better than cure.

And theoretically speaking, it was quite easy for a malicious “bad” hacker to abuse this same Steam bug in order to, essentially, take over user accounts.

This is indeed similar to what Samy Kamkar accomplished when he took advantage, rather exploited, a similar bug in MySpace in order to reach one million friends very quickly.

Davis told a Motherboard reporter that hypothetically speaking, someone could have easily created a virus that took over a user’s entire system and added some XSS code to the user’s Steam profile as well.

Of course, the eventual victim would have to first open the page on which the virus was injected.

And since the virus could spread by injecting itself on other user profile pages as well, it was basically an exponential monster according to Davis in an interview through an online chat.

If it wasn’t clear enough already.

Nothing bad really happened.

On the other hand, a hacker could have easily forced Steam users (hundreds of thousands in total number. Some say even millions) to pay a particular sum of money to get their profile back.

Fortunately, for all of Steam users and the management behind the platform, the bug was fixed before someone could exploit it.

 

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

COMMENTS

WORDPRESS: 0

Do You Use Steam? Here is How You Could Be Hacked.

by Zohair time to read: 9 min
0