Valve Backtracks After Banning Hacker For Publicly Disclosing A Vulnerability

Image: Steam

Valve has admitted it made a mistake banning a white hat hacker who detected a vulnerability on Steam and disclosed the exploit publicly, after Valve initially classified his reports as not applicable.

Valve Pays $20,000 To Hacker Who Found Steam Bug That Generates Free Games

Somewhere deep inside Valve’s labyrinthine compound of Steam-sustaining tubes, wires, and pipes, somebody is thanking their lucky stars for Artem Moskowsky. The self-described “bug hunter” came across a glitch that allowed him to generate thousands of free keys for any game on Steam. A lesser person might have kept that knowledge to themselves. He reported it.

Read more

Russian hacker, Vasily Kravets, revealed on 7 August he'd found a vulnerability on the Steam Windows Client and reported it to Valve twice via the HackerOne bug-reporting service. Kravets then alleged Steam classified both reports as "N/A" (not applicable), which forced him to go public with it.

He wrote that the vulnerability is related to Steam's third-party games being given elevated privileges. "Steam allows to grant high privileges for every program you run," Kravets wrote in a public post.

"It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges. Are you sure that a free game made of garbage by an unknown developer will behave honestly? Do you believe that for a 90 percent discount you will not get a hidden miner?"

In a separate conversation over Twitter, Kravets explained to Kotaku Australia that Steam "works with the highest available privileges, so loaded code has [the] same privileges too."

"It could disable [anti-virus], firewall or other endpoint software, [steal] private files, run and hide miner or DDoS-bot. Just take any threat of run malware and make it worse," Kravets said.

Valve classified Kravets' discovery as "out of scope", explaining a hacker would need local privileges (access to the physical PC) in order to exploit the vulnerability.

Valve offers bounties via HackerOne for any vulnerabilities correctly identified by white hat hackers but Kravets' was not considered applicable.

In a later post, Kravets provided a screenshot indicating Valve had banned him from reporting any further bugs on the site after his public disclosure.

Image: Vasily Kravets

Valve has updated its rules to ensure local privilege vulnerabilities are included as "within scope", according to Ars Technica.

"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user's machine as that local user," Valve said in a statement. "Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam."

As for Kravets' bounty, Valve declined "to discuss the details of each situation or the status of their accounts at this time." Kravets, on the other hand, told Kotaku Australia that he simply wanted more transparency.

"I want Valve to make some public statements. About this situation and about future EoPs," he said.

Valve Is Paying Hackers To Discover Security Flaws In Steam

Even Steam, the biggest PC gaming platform in the world, isn't immune to hacks and other issues that have in previous years rendered private information woefully public. That's where Valve's new bug bounty program comes in.

Read more

Alex Walker contributed to this report.


    You have to be a special kind of insecure, petty, vindictive, ungrateful little asshole to not only ignore a security vulnerability, but to punish the person who brought it to your attention.

      Or more likely, an overworked underpaid worker in the Philippines for whom English is their second language and whose manager repeatedly reminds them that their job is not to think for themselves but to strictly apply a short set of arbitrary criteria before quickly moving onto the next ticket.

        For ordinary customer service I’d expect that to be the case, but every company I’ve worked with treats security much, much more seriously than ‘palm it off to a contract farm’.

          As the article notes, Valve claims that the problem was due to "misinterpretation of the rules", ie. the vulnerability was outside the scope of rules that someone was paid to apply without much decision making authority.

          In any case, your extreme interpretation that it was instead some "insecure, petty, vindictive, ungrateful little asshole" also seems to contrast with the approach at every company you claim to have previously worked for, so either way we're not talking about standard operating procedures, eh? Also, angry much?

          Valve is well known to prefer contract farms and algorithms over real professionals and this is very much the kind of thing you might expect from a contract farm with very limited decision making authority.

            The professionals cost money, us the consumer don't want to pay money. Hence why things go off shore.

            Heh. It's not that contradictory at all. The organizations treat security seriously enough to have a, "Don't oursource that to a foreign contractor," policy, but the individual, petty humans involved who have Definite Ideas about How Things Should Be Done, however... can't see the forest for the trees. (Who knows, you might be right about Valve not having that particular concern.)

            And yeah, there's totally some resentment there. Well-earned, deserved resentment.

            There's a corporate truism that goes, 'if you want to stop a project from getting off the ground, get security involved.' I have joked with security people about login security being better if we could just prevent users from logging in at all, and it took a distrubingly long time for them to realize I was joking. I have so many beefs on this subject. SO MANY.

              I suspect that most industries have a running joke along the lines of something like "this job would be fantastic if it wasn't for the [insert customers/clients/students/etc here]".

        Agree with angorafish. Still it’s pretty rubbish to have a system where user reports are basically ignored

          It would be interesting to see how many reports they do get. If they are getting hundreds of reports a week about suspected security issues, I could see it slipping through.

      But Valve can do no wrong and Epic is evil!

        No-one in this industry is above being a bastard. Sony was whining about cross-platform when Microsoft was the dominant power blocking it, now Sony are being the assholes blocking it. Does this make either of them saints? Hell no. But it does mean that right now, on this topic, Sony are bigger assholes than Microsoft. Same goes for exclusivity deals, store features, consumer-affecting policies, etc.

        Epic might be a pack of douchebags who've decided that it's more important to protect developers than consumers, but on this very specific subject of security? Valve were bigger assholes.

        Though let's not forget Epic was for a time using the EGS as malware, digging around in local files it had no business examining because the fuckers didn't want to make use of perfectly safe, FAR more secure API tools, because they didn't want Valve to be able to see what they were using the API to get access to. It's all fuckers... fuckers all the way down.

Join the discussion!

Trending Stories Right Now