Valve has admitted it made a mistake banning a white hat hacker who detected a vulnerability on Steam and disclosed the exploit publicly, after Valve initially classified his reports as not applicable.
Somewhere deep inside Valve’s labyrinthine compound of Steam-sustaining tubes, wires, and pipes, somebody is thanking their lucky stars for Artem Moskowsky. The self-described “bug hunter” came across a glitch that allowed him to generate thousands of free keys for any game on Steam. A lesser person might have kept that knowledge to themselves. He reported it.
Russian hacker, Vasily Kravets, revealed on 7 August he'd found a vulnerability on the Steam Windows Client and reported it to Valve twice via the HackerOne bug-reporting service. Kravets then alleged Steam classified both reports as "N/A" (not applicable), which forced him to go public with it.
He wrote that the vulnerability is related to Steam's third-party games being given elevated privileges. "Steam allows to grant high privileges for every program you run," Kravets wrote in a public post.
"It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges. Are you sure that a free game made of garbage by an unknown developer will behave honestly? Do you believe that for a 90 percent discount you will not get a hidden miner?"
In a separate conversation over Twitter, Kravets explained to Kotaku Australia that Steam "works with the highest available privileges, so loaded code has [the] same privileges too."
"It could disable [anti-virus], firewall or other endpoint software, [steal] private files, run and hide miner or DDoS-bot. Just take any threat of run malware and make it worse," Kravets said.
Valve classified Kravets' discovery as "out of scope", explaining a hacker would need local privileges (access to the physical PC) in order to exploit the vulnerability.
Valve offers bounties via HackerOne for any vulnerabilities correctly identified by white hat hackers but Kravets' was not considered applicable.
In a later post, Kravets provided a screenshot indicating Valve had banned him from reporting any further bugs on the site after his public disclosure.
Valve has updated its rules to ensure local privilege vulnerabilities are included as "within scope", according to Ars Technica.
"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user's machine as that local user," Valve said in a statement. "Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam."
As for Kravets' bounty, Valve declined "to discuss the details of each situation or the status of their accounts at this time." Kravets, on the other hand, told Kotaku Australia that he simply wanted more transparency.
"I want Valve to make some public statements. About this situation and about future EoPs," he said.
Even Steam, the biggest PC gaming platform in the world, isn't immune to hacks and other issues that have in previous years rendered private information woefully public. That's where Valve's new bug bounty program comes in.
Alex Walker contributed to this report.