Italian security Researchers Luigi Auriemma and Donato Ferrante from 'ReVuln' reported the flaw in Steam Browser Protocol. Stream the popular online distribution platform with 54 million users.
Cybersecurity


The flaw allow the attacker to write arbitrary text to file and direct victims to external payloads and even the computer can take over. The popular gaming platform uses the steam:// URL protocol in order to run, install and uninstall games, backup files, connect to servers and reach various sections dedicated to customers.

It is possible to Safari, Maxthon and Firefox and other browsers based on the Mozilla engine, this quietly Steam URLs to invoke.

In report they said that browsers including Firefox and software clients including RealPlayer would execute the external URL handler without warnings and were "a perfect vector to perform silent Steam browser protocol calls".

The researchers demonstrated how users on the massive Source game engine, which hosts games like Half-Life and CounterStrike, could be attacked. They used four commands to write custom code to file, including a bat file that executes commands when users started up Steam. They were also able to execute remote malicious code via the Unreal engine which was affected by many integer overflow vulnerabilities.
The Hacker News

"In one proof of concept involving the Steam browser, attackers used malicious YouTube links within Steam user profiles to bait users. Users who viewed the videos and wished to leave comments would be phished with malicious steam:// URLs that pointed to external sites." explained by Darren Pauli.




Subscribe to our Daily Newsletter via email - Be First to know about Security and Hackers. or Join our Huge Hackers Community on Facebook, Google+ and Twitter.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.