One flaw fixed after criticisms about delays, but second longstanding security bug remains unaddressed

Valve belatedly fixes gaming platform vulnerability but another serious flaw remains unaddressed

Games publisher Valve has belatedly resolved a critical security flaw in its popular Steam platform that it was first notified of two years ago.

However, a separate, similarly serious vulnerability first reported to Valve more than a year ago remains unaddressed.

A Steam source engine vulnerability discovered by ‘Florian’, a member of reverse engineering group Secret Club, was finally resolved last weekend, nearly two years after it was first reported in May 2019.

Malicious game invites

The patching allowed Florian to go public with a detailed technical blog post explaining how flaws in the platform’s Source engine posed a remote code execution (RCE) risk.

An attacker would have been able to use the “Steamworks API in combination with various features and properties of the Source engine to gain remote code execution (RCE) through malicious Steam game invites”, Florian explains.

The find, reported through HackerOne, earned Florian an $8,000 payout in October 2020, around the same time a fix was developed for Team Fortress 2.

Not game-specific, the CVE-2021-30481 vulnerability potentially affected every title that used the Source engine. Valve only issued a comprehensive fix on April 17.

‘Just lazy’

As previously reported, another security researcher, Bien Pham, has been waiting for Valve to resolve another flaw that poses a RCE risk for more than a year.

The logic bug was reported to Valve on April 2, 2020 through HackerOne. By contrast, Pham reported a server side flaw in Steam earlier this month that was rapidly triaged and earned a $9,000 bug bounty payout.

There’s no evidence that the first flaw, much like the vulnerability discovered by Florian, has been exploited by miscreants but Pham is nonetheless frustrated by Valve’s continued lack of action.

“I think they are just lazy to fix client-side problems,” Pham told The Daily Swig. “My vulnerability is easy to fix (at least I think it is). When it comes to server, especially their side, they respond quite quickly, so I don't think there should be any reason for them to take a long time to resolve client side bugs.”


Catch up on the latest gaming security news


Valve is yet to respond to our requests to comment on its apparent slowness in patching vulnerabilities reported to it.

Last week, at the time we first reported the issue, HackerOne indicated it had concerns about Valve’s responsiveness, so it’s not too much of a stretch to imagine that it had a quiet word with its client, which might have contributed to it taking action, at least in the case of the older of the two flaws in play.

Steam is the world’s most popular video game distribution service, taking up to 75% of the global market share and bringing in around 20 million gamers each day.


RECOMMENDED Don’t panic! DEF CON warrant canary confusion blamed on ‘CMS mistake’