Serious Steam Vulnerability

Apr 18
by shogun
Steam Logo

This is a developing story and we will have more info to come.

Evidence points to this being a One-Click vulnerability.

What we know now is that a criminal can send you a link through Steams chat system. On your mobile device, touch the link (by accident or not), then close the browser tab.  The criminal is now able to add a new device and use Steam Guard to trade your inventory away, all without any notice to you.

We are not sure what else this exploit can compromise on your device.  A report has been submitted to Apple Security, so hopefully they will have a solution. 

Be careful everyone.  Your Steam account is not as secure as everyone believed.

We are waiting to hear from Valve about this issue.  We will keep you posted on their response.

As of April 22, 2024, Apple has responded and asked for additional details which they have been given.  Valve so far has not responded.

Added April 22, 2024:

This attack started on Steam's Chat app.  The Steam Chat app is very old and has not been updated in three years.  Could the age of the Steam chat app have made this attack possible?

Here is how this one-click attack worked.  The malicious actor sends a link in Steam Chat that looks like an Official Workshop item.  A person on their friends list sent this link in Steam chat and asked to support a friend by up voting item.  The user in this case knows not to click links, but accidentally touched the link which opened the link in the browser.  They immediately closed the browser tab.  ( They are not logged into Steam on their device's browser. ) Without any notice to the user, the criminal was able to add Steam Guard to another device in Russia.

After two days, the criminal transferred valuable steam inventory items to the criminal accounts.  How can Valve justify not returning the stolen items?  Then after the trade was complete the criminal started spamming everyone on the friends list and then blocked all friends.  They were only alerted to this hack after a friend reached out on Discord to tell them their account had been hacked.  The user noticed an extra authorized device out of Russia, which the user then revoked that device.  So how did a second device in another country, let alone a country with a long track record of criminal hacking, be set as a second Steam Guard device? Valve stated you can only have one device for Steam Guard.  And the user's device still had Steam Guard!  

How can Steam transfer account security from U.S. to Russia without any notice? Why would Steams system not immediately flag and contact the user in a situation like this?

Steam Chat App 1.0.15 (last updated 3 years ago), Steam App 3.7.4 (last updated 1 mo. ago). How is it even possible that the chat app link into a browser can gain control like this?  Did the browser run code that accessed the Steam app?  Or just the Steam chat app sent everything necessary to hack the account into the browser and into the site?

We don't know if this affects only mobile devices or also includes desktop computers.

Also, Valve wants people to buy digital items and consider these items to have real monetary value.  People have bought and sold items using Paypal with real money for thousands of dollars.  See backpack.tf top list to see how some inventories have huge value. Valve system is vulnerable and what makes it worse is Valve will not reverse these thefts.  Valve could easily resolve these issues with crime but have refused to resolve the rampant criminal activity on Steam.  Instead Steam wants to blame the victims.

Have you had a one-click hack on your Steam account?  Reach out to us and tell us your story.

If you are a security researcher and know how this one-click attack works, please reach out to us.

Share

Login or Register to Comment or Post