A common bug in the ubiquitous digital distribution platform Steam potentially allowed hackers to steal user's accounts, get them to involuntarily buy items on the community market, get users to install malware, and perhaps even take control of their computers. The bug could've likely been exploited to make a self-spreading worm too, according to hackers and security researchers.
Steam's operator Valve announced that it fixed the bug earlier today, but with over 125 million monthly active users on its platform, the exploit could have wreaked havoc for thousands of people, and for the company itself.
"Anyone who views a specially crafted profile gets popped," a white hat hacker who has found several bugs in Steam in the past, and asked to remain anonymous, told me in a Twitter DM.
"Phishing scams and virus downloads are possible at the very least, but if account take overs are possible, that's about as bad as XSS gets," Jeremiah Grossman, a web security expert, said in a chat.
A Valve spokesperson said the bug was fixed on Tuesday at noon, but there's no telling how long the door was open for hackers to exploit it. (The spokesperson did not immediately respond to a request for comment.)
The bug was so bad that the moderators of the Steam subreddit told users to refrain from visiting other user's profiles.
While XSS is a common web bug, it could have wreaked havoc in this case for Steam users, according to several security researchers and hackers who have found several bugs in Steam in the past.
Grossman and Jake Davis, a former LulzSec hacker, confirmed that the bug existed as of Tuesday morning and analyzed the potential attacks that bad guys could do if they were to exploit it.
"If something like this were to be found on Google or Facebook, it would be a high-severity issue," said Grossman, who's the Chief of Security Strategy at security firm SentinelOne. "This looks like it could be wormable, which would make user account takeovers possible—if the victim user visits the wrong profile. No real safeguards are possible."
In theory, a malicious hacker could've abused this bug to essentially do what Samy Kamkar did when he exploited a bug in MySpace to get one million friends.
"Hypothetically someone could create a virus that, when opened by the victim, takes over their system and adds the same XSS [code] to their Steam profile, and so on, creating an exponential monster," Davis told Motherboard in an online chat.
"Given the XSS occurs within a trusted part of the Steam experience, it wouldn't be a stretch to imagine you could disguise an exploit as some sort of Steam update and push it to the user's downloads before redirecting back to a legitimate Steam page," Davis continued. "With enough wrangling and clever psychological tricks I reckon that would spread fairly quickly."
Davis also tested that it was possible to make someone download a dummy malware file called "open_me.exe" just by tricking a Steam user into visiting a certain profile.
Perhaps the most damaging attack, at least for Valve itself, was to exploit this bug to make users buy items from the Steam Community Market, as long as they are under the cost limit that requires no confirmation, according to the anonymous white hat hacker and another researcher who's also found similar bugs in Steam. Hackers could've also made this into a worm, ratcheting up profits.
In other words, a hacker could have made hundreds of thousands or perhaps millions of users pay them a few dollars. Luckily, the bug is now fixed.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .