- Oct 23, 2012
- 12,527
Valve updated the Steam gaming client to fix a severe security issue in the application's crypto package that under certain conditions would have allowed an attacker to view a user's password in plaintext if observing network traffic when the user was authenticating on the platform.
Security researcher Nathaniel Theis (XMPPwocky) is the one that discovered the issue and also wrote an advanced technical write-up detailing the attack's steps.
To understand the attack, users first need to know how Steam's cryptography works. Valve designed the Steam crypto module to keep data secret and to authenticate connections so nobody can pass as another user.
Steam keeps data secret by encrypting all sensitive traffic with a session key. This session key is generated with an AES-256-CBC algorithm, encrypted with RSA-1024 plus a hardcoded public key, and then send to Steam's servers, where it is decrypted and used to decrypt traffic coming from the user.
Security researcher Nathaniel Theis (XMPPwocky) is the one that discovered the issue and also wrote an advanced technical write-up detailing the attack's steps.
To understand the attack, users first need to know how Steam's cryptography works. Valve designed the Steam crypto module to keep data secret and to authenticate connections so nobody can pass as another user.
Steam keeps data secret by encrypting all sensitive traffic with a session key. This session key is generated with an AES-256-CBC algorithm, encrypted with RSA-1024 plus a hardcoded public key, and then send to Steam's servers, where it is decrypted and used to decrypt traffic coming from the user.
.Steam encrypted traffic was susceptible to MitM attacks
Researchers said that the "secret" part of Steam's encryption system was not the problem, but the "authentication" part, about which they said Valve failed to protect using an MAC (Message Authentication Code).
The lack of an MAC allows a third-party to carry out man-in-the-middle (MitM) attacks that could get victims VAC-banned or even expose passwords in plaintext. Theis said the last part was possible because of a so-called oracle attack which leaks data via the encryption's padding field.
The researcher reported the issue to Valve at 3:12 AM and he says that by 2:45 PM on the same day, the company already deployed a partial fix, with a complete fix added at a later time.
Theis received help from a fellow researcher that goes by the name of Zemnmez and both received the Burning Flames Finder’s Fees from Valve. The company also inducted Theis into Steam's Security Hall of Fame