Valve Fixes Steam Crypto Bug That Exposed Passwords in Plaintext

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Valve updated the Steam gaming client to fix a severe security issue in the application's crypto package that under certain conditions would have allowed an attacker to view a user's password in plaintext if observing network traffic when the user was authenticating on the platform.

Security researcher Nathaniel Theis (XMPPwocky) is the one that discovered the issue and also wrote an advanced technical write-up detailing the attack's steps.

To understand the attack, users first need to know how Steam's cryptography works. Valve designed the Steam crypto module to keep data secret and to authenticate connections so nobody can pass as another user.

Steam keeps data secret by encrypting all sensitive traffic with a session key. This session key is generated with an AES-256-CBC algorithm, encrypted with RSA-1024 plus a hardcoded public key, and then send to Steam's servers, where it is decrypted and used to decrypt traffic coming from the user.

Steam encrypted traffic was susceptible to MitM attacks
Researchers said that the "secret" part of Steam's encryption system was not the problem, but the "authentication" part, about which they said Valve failed to protect using an MAC (Message Authentication Code).

The lack of an MAC allows a third-party to carry out man-in-the-middle (MitM) attacks that could get victims VAC-banned or even expose passwords in plaintext. Theis said the last part was possible because of a so-called oracle attack which leaks data via the encryption's padding field.

The researcher reported the issue to Valve at 3:12 AM and he says that by 2:45 PM on the same day, the company already deployed a partial fix, with a complete fix added at a later time.

Theis received help from a fellow researcher that goes by the name of Zemnmez and both received the Burning Flames Finder’s Fees from Valve. The company also inducted Theis into Steam's Security Hall of Fame
.
 
  • Like
Reactions: DJ Panda

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
Thankfully Steam automatically updates whenever I open the program. If you want to play the games I have buy them yourself. :p
 
  • Like
Reactions: Mineria

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top