The Hacker News Logo
Subscribe to Newsletter

Steam Browser Protocol Vulnerability can allow hackers to hijack PC

Italian security Researchers Luigi Auriemma and Donato Ferrante from 'ReVuln' reported the flaw in Steam Browser Protocol. Stream the popular online distribution platform with 54 million users.


The flaw allow the attacker to write arbitrary text to file and direct victims to external payloads and even the computer can take over. The popular gaming platform uses the steam:// URL protocol in order to run, install and uninstall games, backup files, connect to servers and reach various sections dedicated to customers.

It is possible to Safari, Maxthon and Firefox and other browsers based on the Mozilla engine, this quietly Steam URLs to invoke.

In report they said that browsers including Firefox and software clients including RealPlayer would execute the external URL handler without warnings and were “a perfect vector to perform silent Steam browser protocol calls”.

The researchers demonstrated how users on the massive Source game engine, which hosts games like Half-Life and CounterStrike, could be attacked. They used four commands to write custom code to file, including a bat file that executes commands when users started up Steam. They were also able to execute remote malicious code via the Unreal engine which was affected by many integer overflow vulnerabilities.

"In one proof of concept involving the Steam browser, attackers used malicious YouTube links within Steam user profiles to bait users. Users who viewed the videos and wished to leave comments would be phished with malicious steam:// URLs that pointed to external sites." explained by Darren Pauli.




Subscribe to our Daily Newsletter via email - Be First to know about Security and Hackers. or Join our Huge Hackers Community on FacebookGoogle+ and Twitter.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.