Advertisement
Tech by VICE

Hacker Drops Steam Zero Day After Being Banned From Valve Bug Bounty Program

Valve says banning him was a mistake, but he made the bug public anyway.

by Wayne Rash
Aug 27 2019, 12:00pm

Image: Manuel Breva Colmeiro

Security researcher Vasily Kravets publicly dropped a zero-day for the Steam game platform last week after saying he was banned from parent company Valve's bug bounty program.

Kravets, who is a security researcher for the R&D department at Advanced Monitoring in Moscow, said that the trouble began in May, when he reported a security bug in the Steam gaming platform through HackerOne. HackerOne handles the bug bounty program for Valve and for a number of other companies. Valve said banning him was a mistake.

Kravets said that he was prevented from using the HackerOne bug reporting service after Valve rejected his findings, telling him that the problem would not be fixed. When he found another similar bug and was unable to report it through HackerOne, he decided to release the report publicly. This caused an uproar because it's rare for security researchers to publish detailed hacking notes publicly before the vulnerability is fixed.

“I clearly realized that something was broken in that process. It is obvious that nothing was going to change,” Kravets said in a Twitter message, “moreover [HackerOne] noticed my last message in the thread (before public disclosure) only two weeks after I post the message. There is nothing other left [sic] than make report public.”

The vulnerabilities that Kravets found in the Steam software allowed local privilege escalation from within Steam as described in his blog entry. According to communications between Kravets, Valve, and HackerOne, it appears that Valve didn’t consider such privilege escalation to be a security problem, despite its potential as a pathway for malware to infect an operating system, in this case Windows.

“Then I found another vulnerability. I asked [HackerOne] what should I do? I didn't want repeat of the story. After 5 days I was banned and had no other choice than public report one more time,” Kravets explained.

For its part, Valve has acknowledged that refusing to accept the bug report was a mistake.

“We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake,” the company said in a statement. The company said that it has updated its bug reporting guidelines to specifically accept bugs of the sort that Kravets reported.

Since those reports, Valve has issued updates to its Steam software that fix the privilege escalation issues. However those updates happened after Valve sent Kravets an email saying that the company would no longer accept his bug reports.

This may be changing. Valve’s VP of marketing, Doug Lombardi, provided additional details regarding the incident, and the company’s actions.

“We are aware of the recent reports of two zero day local privilege escalation bugs related to the Steam Client,” Lombardi said in an email. “Both of these bugs used Steam to allow already installed malware to escalate from local user to administrator level privileges. Neither of these bugs could be executed remotely without first compromising a user’s machine outside of Steam. We have released updates to the Steam Client public beta channel to address these issues, and we have already pushed some initial fixes to all users.”

For its part, a spokesperson for HackerOne told Motherboard that, “The hacker was never banned from the HackerOne platform.” However, Kravets went back and checked, and reports that he is, indeed, still locked out of reporting bugs about Steam on HackerOne.

Despite the fact that the bug bounty program offers monetary rewards for finding and reporting bugs, Kravets said that he’s not interested in the money.

“I want Valve to make public statement (blogpost or so on) about this situation," he said. "Yes, I know that they share some words with journalists, but this is not the same as official post. About bounty—I never mention money in any of my posts, messages or so on. This is not my question.”