Video game developer Valve has admitted it made a “mistake” after it ignored warnings and banned a researcher who discovered a significant vulnerability in its gaming platform Steam.
Valve said it has now patched the two zero-day vulnerabilities in the Windows version of Steam, which were initially discovered by Russian security researcher Vasiley Kravets.
Earlier this month Kravets discovered a zero-day escalation exploit in Steam Client Services which would allow malware on a user’s computer to use Steam to gain administrative rights and take full control of the system.
“Achieving maximum privileges can lead to much more disastrous consequences,” Kravets said in a blog post.
“For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft of any PC user’s private data – is just a small portion of what could be done.”
The researcher reported the flaw to Valve through its bug bounty service HackerOne before it was made public, but the company claimed that the vulnerability was outside of the program’s scope and didn’t need patching.
After Kravets made the bug public, he was also banned from the HackerOne platform. He later discovered another similar bug in the Steam platform but could not report it to Valve due to the ban.
“In short, Valve decided to remove me from the programme due to my public disclosure – I fully understand this and have no objections,” Kravets said.
“But I still think that the first disclosure was the right move. Before my post, Valve had no intentions to patch the vulnerability.
“A vulnerability is a vulnerability even if it does not fit into the security model.”
Valve initially said that the vulnerabilities were outside the scope of the bug bounty program and did not need to be patched, but later quietly rolled out a fix for them. But other researchers soon discovered ways around this patch.
The company has now admitted that it erred in ignoring the researcher’s discoveries and has updated the rules of the HackerOne program.
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user,” a Valve spokesperson said.
“Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.”
Valve said the researcher who discovered the flaws was “incorrectly turned away”, and that its rules have been updated to “explicitly state that these issues are in scope and should be reported”.
“Any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialogue, is in scope,” the new rules state.
“Any unauthorised modification of the privileged Steam Client Service is also in scope.”
It was also revealed that another prominent security researcher had discovered the same bug and notified Valve, but got the initial, dismissive response.
Valve also talked up its bug bounty program, saying that in the last two years it has worked with and rewarded 263 security researchers who have found about 500 security issues, with the company paying out $US675,000 in rewards.
Steam has over 90 million monthly active users, with Windows accounting for the vast majority of all installations.