Friday, 16 March 2012

Valve fixes HTTPS vulnerability in Steam client



Valve has fixed a man-in-the-middle vulnerability in the Windows Steam client, which would have allowed a correctly-positioned attacker to divert and decrypt HTTPS traffic without the victim's knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.


First, I'll get my grumbles out of the way: Steam has a huge number of users, and I don't like the idea of anyone being vulnerable to this type of thing. That's why I responsibly disclosed this vulnerability to Valve in November last year (although I suspect it may have been vulnerable for more than a year in total). My hope was that they would fix it quickly, and certainly before anyone tried to exploit the vulnerability. They were impressively receptive at first, but then things started going a bit quiet and some of my later emails were ignored.

Anyway, it took more than 3 months(!) to get this fixed, which seems an unreasonably long time to me. It's tempting to say that I wouldn't bother trying this hard to report a vulnerability again, but hey, I use Steam too!


[Screenshot from http://store.steampowered.com/news/7524/]

Oh yes, that leads me on to my second grumble: Although Valve has credited me for pointing out this vulnerability, they have dressed it up as an "addition" rather than a "fix". I think that's a bit deceptive, and hides the fact that there were any security problems. It may not be intentional, however.

The real change is that it now validates certificates rather than simply displaying their status; previously, it did not validate the certificate at all, let alone display its status. The Steam client would happily display HTTPS content from any server, regardless of whether the provided SSL certificate had expired, was for the correct domain name, or was signed by a trusted certificate authority. There have been enough issues surrounding the whole PKI arena lately, without having to worry about clients that don't actually check certificates properly...



By controlling or hijacking DNS lookups for the domain "www.paypal.com" (e.g. by providing gamers with an open wireless network which used a rogue DNS server), an attacker could have caused Steam clients to display arbitrary content instead of the expected PayPal payment flow (see screenshot above). This content could have been served from the attacker's own HTTPS server, configured to present a self-signed SSL certificate with an arbitrary common name. 
Steam displayed the spoof content without warning or indicating that the certificate was invalid. This provided a very plausible opportunity to steal a user's Steam credentials by prompting the user to re-enter them within the Steam client itself.
An attacker could also have carried out an undetectable man-in-the-middle attack by relaying Steam client requests to the legitimate PayPal website. This would have allowed the attacker to decrypt and view the user's login credentials and other sensitive details while still allowing the transaction to be processed successfully and thus avoiding any suspicion from either party. Unfortunately, that means there is no know way of knowing whether or not this vulnerability was actively exploited before it was eventually fixed.

42 comments:

  1. Bots from hackers are known to use ciphers to hack into the Paypal API. Thank goodness they got it patched, but I wonder on how many did the attackers victimized? Paypal is still popular, but platforms like epos software are rising in usage.

    ReplyDelete
  2. Thanks for your information. Nice article

    ReplyDelete
  3. Thanks for sharing information post. Limousine King offers affordable limo hire Melbourne that make your accosion special. Wedding Car HireLimo Hire Melbourne prices

    ReplyDelete
  4. Very nice blog and articles. I am realy very happy to visit your blog. Now I am found which I actually want. I check your blog everyday and try to learn something from your blog. Thank you and waiting for your new post.

    Data Science Course

    ReplyDelete
  5. I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job !

    Data Science Training

    ReplyDelete
  6. Red Hat Certified Engineer is a professional who has expertise in handling the Red Hat Enterprise Linux System. The Certified Engineer takes care of various tasks such as setting kernel runtime parameters, handling various types of system logging and providing certain kinds of network operability. The professionals must have the ability to install networking services and security on servers running Red Hat Enterprise Linux.

    Red Hat Certified Engineer

    ReplyDelete
  7. Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.

    Security Guard License
    Ontario Security License
    Security License Ontario
    Security License

    Thank you..

    ReplyDelete
  8. Finally found very interesting blog with valuable information wafting for next blog update.
    Data Analytics Course Online 360DigiTMG

    ReplyDelete
  9. Thanks for this amazing blog, visit Ogen Infosystem for creative web design and development services at an affordable price.
    Website Designing Company in Delhi

    ReplyDelete
  10. Excellent Blog with interesting information, I really appreciate for sharing wondaful blog thank you.
    Data Science Training in Hyderabad

    ReplyDelete
  11. PMP Certification7 October 2020 at 09:02

    I truly like only reading every one your web logs. Simply desired to in form you which you simply have persons such as me that love your own work out. Absolutely an extraordinary informative article. Hats off to you! The details which you have furnished is quite valuable.
    Learn best PMP training in Hyderabad

    ReplyDelete
  12. I will very much appreciate the writer's choice for choosing this excellent article suitable for my topic. Here is a detailed description of the topic of the article that helped me the most.
    unindent does not match any outer indentation level

    ReplyDelete
  13. I'm glad I found this blog! Occasionally, students want to know the keys to writing productive literary essays. Your first-class knowledge of this great job can become a suitable foundation for these people. Good
    unindent does not match any outer indentation level python

    ReplyDelete
  14. Hi all, I am Luna I am pretty new here so please be patient with me.
    I go to a lot of concerts, but my favorite singer is Lamb Of God.
    I'm currently studying to be a Merchandise manager which is what I've always wanted to do.
    I think the one thing


    This is my site : แทงบอลออนไลน์

    ReplyDelete
  15. Vegus168 แทงบอล เครดิตฟรี

    คาสิโน บอลออนไลน์ บาคาร่าออนไลน์ เครดิตฟรี เว็บตรง สมัครง่าย

    ReplyDelete
  16. Great article with valuable information found very resourceful and enjoyed reading it waiting for next blog update thanks for sharing.
    Ethical Hacking Course in Bangalore

    ReplyDelete
  17. Great article with valuable information found very resourceful and enjoyed reading it waiting for next blog updated thanks for sharing.
    typeerror nonetype object is not subscriptable

    ReplyDelete
  18. To harness the power of new media, savvy marketers know that they need to connect with the customer and provide an experience in which the customer feels interactively connected to the brand in some way. data science course syllabus

    ReplyDelete
  19. Nice Information Your first-class knowledge of this great job can become a suitable foundation for these people. I did some research on the subject and found that almost everyone will agree with your blog.
    Cyber Security Course in Bangalore

    ReplyDelete
  20. Writing in style and getting good compliments on the article is hard enough, to be honest, but you did it so calmly and with such a great feeling and got the job done. This item is owned with style and I give it a nice compliment. Better!
    Cyber Security Training in Bangalore

    ReplyDelete
  21. I am more curious to take an interest in some of them. I hope you will provide more information on these topics in your next articles.

    Business Analytics Course in Bangalore

    ReplyDelete
  22. I am a new user of this site, so here I saw several articles and posts published on this site, I am more interested in some of them, hope you will provide more information on these topics in your next articles.

    Data Analytics Course in Bangalore

    ReplyDelete
  23. Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing.data science institutes in Hyderabad

    ReplyDelete
  24. I will really appreciate the writer's choice for choosing this excellent article appropriate to my matter. Here is deep description about the article matter which helped me more.
    Data Science Course

    ReplyDelete
  25. Truly overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. Much obliged for sharing.business analytics training

    ReplyDelete
  26. I am delighted to discover this page. I must thank you for the time you devoted to this particularly fantastic reading !! I really liked each part very much and also bookmarked you to see new information on your site.
    typeerror nonetype object is not subscriptable

    ReplyDelete
  27. A debt of gratitude is in order for giving late reports with respect to the worry, I anticipate read more.
    Digital Marketing Training Institutes in Hyderabad

    ReplyDelete
  28. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    data science course in India

    ReplyDelete
  29. Thank you for your post, I look for such article along time, today i find it finally. this post give me lots of advise it is very useful for me !data science training in Hyderabad

    ReplyDelete
  30. You might comment on the order system of the blog. You should chat it's splendid. Your blog audit would swell up your visitors. I was very pleased to find this site.I wanted to thank you for this great read!!
    Artificial Intelligence Course

    ReplyDelete
  31. Incredibly in general very intriguing post. I was looking for such an information and took pleasure in scrutinizing this one. Keep posting. An obligation of appreciation is all together for sharing.data analytics course in Hyderabad

    ReplyDelete
  32. Thank you so much for shearing this type of post.
    This is very much helpful for me. Keep up for this type of good post.
    please visit us below
    data science training in Hyderabad

    ReplyDelete