Heat On Steam App Grows With Discovery Of Another Security Flaw
By: Jim Stickley and Tina Davis
September 1, 2019
The popular Steam gaming platform is under scrutiny again for yet another security flaw. This latest vulnerability gives malicious apps and malware elevated privileges to a system. In the wrong hands, this zero-day flaw allows bad actors to overtake an entire system using Steam as the launchpad. Unfortunately, it’s the second zero-day vulnerability that Valve, the Steam creator, is facing this summer. The Steam app currently has more than one billion registered accounts with over 90 million active users monthly. The sheer number of Steam user’s, including many children, is enough to concern cybersecurity experts. Researchers found Valve inept at reacting to the first flaw and believe the response to this latest discovery is no better. In the meantime, Steam users running Windows remain vulnerable to exploitation.
Earlier this summer, researchers discovered the Steam app had a security glitch that created a zero-day vulnerability for account holders. Zero-day is a software flaw giving bad actors the green light while a company has yet to release a security patch. Since Valve has yet to address this latest bug, hackers are free to take advantage of it. The security patch Valve released to fix the first flaw was insufficient, leading to continued zero-day security exploits with the latest discovery. The flaw allows bad actors to execute malicious code with elevated administrative privileges, also called local privilege escalation. Those privileges lead to personal data theft, disabled firewalls and antivirus protections, malware installation, and eventually overtaking a device.
There are steps gamers, parents and other users can take to minimize exposure to security flaws. Since it’s never too early to be safe online, parents should educate their children about basic cyber-smarts. Make sure kids always download apps in your presence. Pay close attention to the many pop-up windows asking for access to information, especially when it’s not needed for the app to function. For example, Candy Crush doesn’t need access to the device’s camera and almost nothing needs administrator rights. Those with bad intent use pop-up permissions to infiltrate sensitive data like name, age, location, and contacts and hope no one is paying attention and will just click “Yes” all the way through the setup.
Always download from official sites and never sideload apps from questionable sources. Email phishing is also a hacker favorite, so beware of emails from strange or unknown senders and never click on email links or attachments. When updates are available, apply them immediately as they often contain fixes for security bugs. Lastly, when finished using Steam or done for the day, always shut the system down.