A bug that could've been exploited to take over any PC has been lurking in the Steam gaming client for at least the past decade.
Tom Court, a researcher at security firm Context, noticed the problem in some "very old" Steam computer code, which could have potentially allowsed a hacker to remotely hijack the client and execute commands over the PC.
Court demonstrated the severity of bug on Wednesday in a video of it being used to open the Calculator app on a fully patched Windows 10 PC.
According to Court's blog post, the problematic code involves the way Steam communicates over the internet and fails to check a specified data packet length. "This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections," he wrote.
Court reported the problem to Steam's developer, Valve, in February; it quietly fixed the bug with an update on March 22. He speculates that developers probably saw no reason to change the problematic code before then, given that it was "otherwise in good working order."
Steam launched in 2003 and has since amassed over 125 million users. To exploit the vulnerability, an attacker had to be able to observe the internet traffic of the target's computer to learn the client/server IDs, and then tamper with the data sent to the Steam client.
In an email, Court told PCMag: "It would have been easy to exploit if the attacker was on the same LAN as the victim, in which case they could passively observe traffic going to/from victim's PC and learn the correct IDs."
"Note that the victim did not need to be playing a game to be vulnerable, so just sitting on a public Wi-Fi with the steam client running in the background would have been enough to let a hacker compromise their machine," he added.
Recommended by Our Editors
Last July, Valve also updated its Steam client with new security protections, so anyone who tried to exploit the bug after that would've failed to trigger remote code execution and simply caused the client to crash, according to Court.
Valve has not yet commented on the vulnerability, or whether any malicious actors exploited it.
Editor's note: This story has been updated with comment from Court about the vulnerability.
Valve Purges Dev's Games from Steam
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
