Report: Steam URL Protocol Can Be Exploited By Hackers

Computer World reports that the way browsers and other applications handle the "steam://" protocol URLs can be exploited by hackers, according to researchers from ReVuln. The Steam client can run on Windows and Mac OS X. Valve is currently testing a beta version of the client that supports Linux.

Researchers say that the Steam client registers itself as a steam:// URL protocol handler on install. When users click on a steam:// URL in a browser or a different application, the URL is automatically passed to the Steam client for execution. Steam:// URLs can activate Steam protocol commands that carry out a variety of actions including installs, uninstalls, updates, start games with certain parameters, backup files or perform other supported actions.

The problem according to researchers is that hackers can abuse these commands remotely on web sites and through other methods to trick users into executing these commands through maliciously crafted steam:// URLs. The other problem is that some browsers automatically pass these steam:// URLs to the Steam client without asking for confirmation from users.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Researchers also released a proof of concept video here.

Researchers say that the best way users can protect themselves is by manually disabling the steam:// URL protocol handler or use a browser that doesn't automatically execute steam:// URLs…

Source: Blue's News

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone


  1. 0
    Dennis Stewart says:

    Remember, it first requires you to click on a bogus Steam link.  Also, for it to be effective at all, it requires someone to have access to your network, in which case there are much easier attacks they can perform.

  2. 0
    Left4Dead says:

    I thought of one other possible exploit avenue in this vein:  The Steam mobile apps.  I know the Android app allows for remote installation of games via the Android app if the PC/Mac is logged into Steam.  It possibly sends a 'steam://' URL to the running client.  On Android, it is possible to add a handler for specific URLs, so the app might simply forward on requests to the client.  Tapping a carefully crafted Steam URL on your Android phone/tablet under these circumstances might cause a PC to become infected with malware.

    The probability of this actually happening or is even possible in the first place is pretty slim.  The remote install feature of the app doesn't work at all for me on my Android device, so this feature being "broken" might be a saving grace for the Steam devs.

    If you know a Steam dev, you might want to forward this to them as a reminder to make sure they test the mobile apps for this exploit too.

    -- Left4Dead --

  3. 0
    Left4Dead says:

    That's a legit XSRF and buffer overflow attack vector for Steam – the ability to create AND execute any ol' file on the file system is just asking for others to exploit it.

    I hadn't thought about this one.  Makes me wonder what other custom protocols hooks are similarly vulnerable.  Custom protocol handlers have always made me leery but this is the first serious exploit of such things that I'm aware of.

    Due to the severity of this issue, this will likely be patched fairly quickly.  Guess what application I'm NOT using until this is patched?  Time to dust off the retail boxed games!

    -- Left4Dead --

  4. 0
    Dennis Stewart says:

    You can use it to launch specific applications.  For example, on the website for the group I play with, we post steam links that will launch a game (like counter strike) and automatically connect to a specific server.  The Steam community website used to use these (they don't anymore) to make is so when you clicked on "add friend" it would launch Steam.

  5. 0
    Sora-Chan says:

    If I recall, the steam store makes use of it. (meant to be a reply to MaskedPixelante )

    ╔╦═╣Signature Statement╠═╦╗

    If you don't like something I said in a post, don't just hit the dislike, let me know your thoughts! I'm interested in knowing everyone's opinions, even when they don't mesh with my own.

    Night Theme for GP:

Leave a Reply