Feeling Vulnerable? Steam’s Protocol Could Allow Attacks

By John Walker on October 17th, 2012 at 6:00 pm.


Is Steam killing your children?, I was tempted to title this article. We’re not sensational enough here. But it does seem that Steam offers some serious vulnerabilities to your PC, if a paper published by security research company ReVuln is accurate. As reported by PCWorld, it seems the steam:// protocol might be a way in for nefarious types.

Protocols are of course a type of bacteria used by websites to load information. The Hypertext Transfer Protocol (http) with which we’re most familiar was discovered growing on a leaf in Tim Berners-Lee’s back garden. Since then a number of other species have been found, including that used by Valve, coincidentally named steam://. This means that whenever you click on a URL that begins “steam://” your computer knows it’s for Steam to handle and execute.

And because those commands can contain lots of extra information – as anyone who’s ever augmented a Steam path to load a game in dev or safe mode, for instance, will know – it means naughty people can also put instructions into such URLs that you might not want. What ReVuln is claiming is that such instructions can be used to exploit vulnerabilities within Steam, or even in Steam games, and do damage. They show how this is possible in a handy video:

ReVuln – Steam Browser Protocol Insecurity from ReVuln on Vimeo.

The issue seems to stem from browsers and applications that hand over to Steam without checking with you first. And of course when you’ve told your browsers and applications to do exactly that. So you can see above how exploiting this stuff allows them to install executables on your machine, or… well, I’ll quote the paper as it’s far beyond me:

“The retailinstall command is an undocumented feature (not a bug) of the Steam Browser Protocol that allows installing and restoring backups from a local directory. One of its parameter is path that is used to specify this local directory but obviously this directory can be a Windows network folder available on a remote host. When Steam executes the retailinstall command, Steam checks and loads two files: splash.tga (an image) and sku.sis (an install file). The splash image gets displayedimmediately (Figure 3 ) to the user as soon as the command gets executed.

The Steam function in charge of processing the splash images is vulnerable to an integer overflow vulnerability while processing malformed TGA files. The problem is located in LoadTGA function of vgui2_s.dll that loads TGA files in memory (Figure 4). The result is a heap-based buffer-overflow that may allow executing malicious code on the Steam process.”

That’s just one example of the issues they found.

They’re not all about knocking things down, however. They also offer solutions. And the first and foremost is ensuring that you don’t allow steam:// URL handlers on your machine to directly execute Steam stuff, while Steam itself could avoid passing “command-line arguments to third party software and undocumented commands accessible from external and untrusted sources like the internet.”

So, er, I guess it’s over to Valve now. We’ve asked them for a comment. They don’t often reply.


« | »

, , , , .


  1. Cooper says:


    When told about a vulnerability in private (rather than this public annoucement by ReVuln) that can lead credit card details to be accessible, it takes Valve over three months to fix it:

    Let’s see if the public eye might make them move a bit more sharpish…

    In anycase: Non http(s):// protocols are an obvious vector for attack. That report highlights how vastly different the approach to these protocols are in different browsers.

    • Dan Puzey says:

      These protocols (including HTTP with or without the S) are no different in their handling to any file extension; opening un-vetted links to any protocol (including HTTP) will always allow malicious behaviour where people are determined; this is no different in that respect to any other phishing attack that involves malformed links or trojan email attachments.

      • Cooper says:

        Almost all browsers deal with executable files accessed via http very, very differently to how they deal with steam:// or spotify:// or whatever else.

        Almost no browser will download and execute any file accessed via http without explicit permission from the user. This is sensible. Why that same sense is not applied to executing programs via other protocols is odd.

        • LionsPhil says:

          Strictly speaking, the browser doesn’t know what that protocol handler will do. It’s not impossible for it to just be a message to a download tool for some new protocol the browser doesn’t yet support, for example, which would be no less safe than downloading something through the browser itself. In fact, GOG Downloader is very much like this, except it’s even also scoped that (from what I can see) it can only ever refer to games from GOG themselves. Running a trusted local executable with arguments from the Internet is not the same as running an executable from the Internet.

          But it’s not guaranteed to be safe either, which is why the browser should be a healthy skeptic and prompt. Most do.

    • eks says:

      It’s been 9 months since I opened a ticket with Steam detailing a way to access any Steam account’s list of games and inventory who haven’t setup a community profile. All I got was a generic “we’ve forwarded it onto the appropriate department”. It still hasn’t been fixed.

      You may think this isn’t that important, but it includes all games they’ve purchased and how long they have spent on each game. Plus, if they gave a crap about their customers privacy this sort of shit would all be locked down by default.

      • El_Emmental says:

        locked down by default
        vast majority of people never activate it (lazyness and ignoring it even exists)
        people complain (consciously or unconsciously) about Steam not being really community/friends-friendly, lacking social features, and go on other DD platform like Origin, where the default option is “public profile” (with an opt-in option to make it private)

        You think it should be private because of the right to privacy.

        Companies think it should be public because of commercial interests (for direct (marketing) and indirect (social-crowd-marketing) benefits).

        People don’t care about it (until something terribly wrong happen to them/to someone they can relate to) and just want the system to work & be socially relevant.

        Nobody is right or wrong.

        • eks says:

          Do you even know what you are talking about? This is for Steam accounts who do not want to participate in the community or do not even know it exists. You can have a Steam account and not have a Steam community account, they are completely different accounts.

          I’m talking about where anyone can access any Steam account which hasn’t setup a Steam community profile account. Whether you like it or not, people have an expectation of privacy. You aren’t even given an option in your Steam account to make it private, it is obviously a security flaw which hasn’t been fixed.

          “People don’t care”. This is bullshit. They don’t know. I’m not talking about having Steam community integration where you setup an account to interact with your friends and it’s public by default. Every single Steam account (different to a community account) can be accessed publicly, with all their items and games, along with time spent public.

          The “competition” reason doesn’t fly either. How on earth does it benefit anyone by leaving a glaring security hole in your application?

          • BluElement says:

            You say the “people don’t care” argument is BS because “people don’t know”?

            Well, now I know.

            Still don’t care.

      • Lacero says:

        Any chance of more details? Do I just need to add something to my profile to stop it?

        • eks says:

          Too fearful of repercussions to give out details. I don’t have a bunch of cash to piss away defending any legal threats or whatever. The way to protect yourself is to setup a Steam community account attached to your Steam account and then in those settings set your profile private, that will make sure they can’t be accessible.

          • Lacero says:

            ah I see, it’s in profile -> edit profile (top right) -> settings -> make everything private
            Thanks I was always a bit suspicious of this and it’s good to close it off

      • The Random One says:

        But how did they forward to the appropriate department if Valve is decentralized and has no departments?

        Ha! Finally, the Valve house of lies crumbles like a house of cards! Cards that are lies! The house is a lie also!

      • Savagetech says:

        When you say “access any Steam account’s list of games and inventory” do you mean like “use the assets of that account as though they were your own” or more “view the details of the account”? I couldn’t give a whit if someone sees that I waste hundreds of hours on a few games while others languish unplayed, but if they’re also seeing my full name, credit card number, and a livestream of my swinging meatsack then I might be concerned.

        So, what are we talking here? Is this just the modern internet standard of “everything is public by default lawl you have to ask for privacy n00bz” or “gigantic oozing security hole that threatens to devour our children”?

      • yrro says:

        9 months is more than enough time for Valve to get their arse in gear and fix the vulnerability you discovered. Time for full public disclosure, IMO.

  2. Dr I am a Doctor says:

    Nah not really

    • Wreckdum says:

      I have literally never used the Steam browser for anything in the 7 years I’ve been on it. Alt-Tab works fine for me…

      • Unaco says:

        It isn’t an issue with the Steam Browser (the thing you can access with Shift+Tab when in a Steam game). It’s an issue with how your regular, everyday Web Browser handles links/URLS with the Steam prefix (steam://Whatever links, basically. An example of one of these would steam://friends/joinchat/103582791429554934 which would make you join the RPS Group Steam chat room). The problem comes when it isn’t something as innocuous in the URL.

        • jrodman says:

          FWIW, on my computer firfefox just gives an error for such URLs. I think only IE handles them.

          • frymaster says:

            without actually checking, it’s possible that if you installed steam before firefox it only set up the protocol handling for your installed browsers. Certainly steam:// links work for me in IE, chrome, firefox, opera, and even in mumble (though that last one is because I asked them to make sure they’d work)

        • Naum says:

          The report (haven’t watched the video) also describes a way to trick the Steam client browser — but not its overlay variant — into opening steam:// URLs without any notice or warning, which makes it a potential vector for malicious attacks related to the steam protocol. However, the process is fairly complicated and surely won’t be the main focus of people trying to exploit this vulnerability.

          • LionsPhil says:

            Cunning, but at the same time kind of easy to avoid. If you find yourself going outside of Valve’s playpen within the normal Steam browser, stop. I didn’t see a way to spontaneously get it to go anywhere nasty (e.g. that may then kick off a steam: URL via JavaScript or redirects), only via YouTube.

            Still. Kind of surprised Valve don’t have it on a tighter leash, and that getting to YouTube within it even works.

  3. MrNash says:

    I hope Valve fixes things on their end, as my eyes started glazing over a bit trying to understand the technical aspects of that report.

    • Squishpoke says:

      If you click a link, it can open up steam instead of your browser.

      Bad people can subtly change the link and do bad things.

  4. AraxisHT says:

    There is a way to use this to involuntarily change someone’s Steam community Avatar.

    • Stevoisiak says:

      I could be mistaken, but I think they fixed that.

      • Bakuraptor says:

        Me and my friends spent a fair part of last week doing exactly that via sending each other tinyurl links; it’s still very possible unless there’s been a recent update.

    • Unaco says:

      That would likely be the least of the issues here. Something a little troublesome, but nothing too major. And yes, several people in the RPS Steam Chat room ended up with Baroness Thatcher avatars one day this weekend. I think 1 or 2 may have even decided to keep them.

      Of more concern would be something like that mentioned in the article here, or exploiting the Command line params of a Source or Unreal Engine game (which you can include in the malicious steam:// URL). Theoretically, it’s possible to use this to create an attacker dictated .bat file in your Windows Startup folder (executing whenever you log on). Was one of the attacks ReVuln have shown.

  5. Stevoisiak says:

    Thanks for being the first website to explain why this exploit is actually dangerous.
    From what I had seen on other websites, it seemed that the worst this could do was to run one of your Steam games without asking you.

  6. Wisq says:

    And this is why I use my Windows gaming machine exclusively for gaming, and my other (non-Windows) machines for productive stuff. (And questionably productive stuff, like web browsing.)

    True, the steam:// exploit might now apply to Linux and Mac machines, but I can guarantee you that 99% of the attempted exploits will be specific to Windows, just due to it being a larger target audience, and having more avenues to exploit (e.g. running stuff off a network share). And my other machines don’t have Steam running in any case.

    • Unaco says:

      There are no (currently) known attempted exploits using this. Currently, it’s been identified as a possible Vector for attack (a ‘malicious’ steam:// URL is unlikely to do anything by itself, but it’s a way to exploit other vulnerabilities).

      And as for Windows being the most likely target? Not necessarily. OS X is actually likely to be the target, due to it being the Safari web browser that is the most vulnerable to this (IE9 & Chrome ask before opening the steam:// URL and give the URL itself, Firefox asks, but only provides part of the URL, Safari doesn’t ask and simply executes), and Safari is most likely to be used on OS X.

    • Aemony says:

      And yet it’s pretty much only the Safari web browser that doesn not ask the user if the steam:// protocol command should be run locally, which Firefox, Chrome and even IE does before running it. Touché!

      • LionsPhil says:

        $64,000 question: what does Steam’s overlay browser do?

        Edit: Some testing seems to indicate that it just outright ignores steam: URLs on other domains.

        • Naum says:

          Re testing: Opera shows a confirmation dialogue unless there’s a Steam entry under Settings -> Advanced -> Programs. The dialogue shortens URLs beyond a certain length, however, making it possible to somewhat disguise a maliciously crafted link.

          • LionsPhil says:

            Yeah, Firefox and IE don’t show the blasted URL at all (as the paper also observes, I see).

            Cheers, added that location.

    • LionsPhil says:

      It’s not really OS-specific, beyond coming down to how URL handlers are done on your platform. I’ve made comment on this before.

      For Windows, protocol associations are in the registry. For Linux I suspect FreeDesktop have a standard by now (or twelve), and OS X will have something too. As long as some kind of system protocol-to-program mapping exists, and Steam exists on the platform, everything else is up to the browser in use.

      If you’re using a browser that hands off things to ShellExecute or such willy-nilly, that’s a bit wreckless of it, to say the least.

      (That said, specific malformed splashscreen-style attacks are more platform-specific.)

      • LionsPhil says:

        Also, it’s worth noting that both Skype and the GOG Downloader do this too. Skype’s is documented. If you go to your GOG games page and turn the downloader switch on, you’ll see the URIs all start with “gogdownloader:”, and if you’re using anything but (apparently) Safari you should get a little “hey, gonna open this with an external program” notice from your browser.

        (And folks who remember the time before everyone just used GMail always and forever for everything might remember the ‘mailto’ protocol.)

        Which is why it’s wreckless for a browser to just hand off foreign protocols to their registered programs given it takes in untrusted sources of URIs (i.e. all the random pages of the Interwebs).

        • Dan Puzey says:

          Also Spotify, and almost anything else that interacts directly with a client application from a webpage.

        • Rikard Peterson says:

          My computer opens mailto: links in GMail, if I can find any. They’re almost extinct these days, not because of GMail, but because of spambot abuse.

        • jalf says:

          Yes, many programs use a custom protocol handler, but just to be clear, that is not in itself a problem. It only becomes a problem if the protocol handler is implemented in a way that can be abused by passing a malicious URL.

          I’m sure you know this, but it wasn’t clear from your comment, so I thought I’d point it out to avoid confusion. :)

          I haven’t looked at exactly what GOG’s or Skype’s protocol handlers do, but they might very well be perfectly harmless.

          Steam’s implementation is particularly stupid because not only does it enable you to pass a variety of commands to the Steam client itself, it *also* lets you pass command line arguments to along list of third-party applications which were not designed with the steam:// protocol in mind.

    • programmdude says:

      Its “probably” windows only, due to the fact that it exploits a buffer overflow in a dll file. It would only be exploitable if mac & linux have the same, or similar, buffer overflow.

      • Brun says:

        That’s just one particular attack that they’re using as an example. The protocol is an attack vector, not a vulnerability in itself. It can be used to exploit other vulnerabilities – those vulnerabilities can be specific to each platform.

  7. SlappyBag says:

    Temp-Fix: Only click on “steam://” links on steampowered.com?

    Obviously thats not 100% possible but if somebody sends you a link directly that used that protocol (e.g. in Stema chat/msn) i guess you’d see the protocol prefix. Its websites that would hide the protocol in the link we should be weary of.

    Also I assume (maybe wrongly) that the Steam.exe must be running? So if you click a link online and steam starts up, Ctrl-Alt-Delete the process. Normally a pop-up comes up saying “Chrome is trying to launch Steam” if you haven’t clicked the “always say yes” checkbox. So theres usually a warning there.

  8. MichaelPalin says:

    So, what is the reason Valve uses their own internet protocol anyways? I always found it fancy, but now I realize I don’t even know why it’s there.

    • LionsPhil says:

      It’s not an “internet” protocol; it’s not a data format for sending down the wire. Just a URL protocol; a way to identify things (well, actions, mostly) within the same kind of namespace as webpages (and everything else, if you’re a Semantic Web junkie).

      At a guess, it’s mostly becuase Steam’s UI is mostly made of webpages in an embedded browser, and it’s a fairly sane way to get the Steam website in any other browser to invoke Steam the program. This “exploit” is, at its heart, desired behaviour.

  9. SuperNashwanPower says:

    I don’t feel intelligent enough to figure out what any of that means.
    I’ve got Defense Grid installed in Steam. So I’m safe, right?

    OK seriously. What do I do?

  10. kraken says:

    Wouldn’t this be enough to fix the issue with firefox?
    (firefox will ask what to do with the steam url instead of silently send them to steam)

    • Naum says:

      Yes, that’s probably a good workaround until the problem is fixed.

  11. Asyne says:

    I see this as a browser issue just as much as a Steam issue. Browsers should prompt when passing URI data to another program – unless the protocol and/or destination program are whitelisted. Steam’s concern should be preventing unprompted account changes caused through URIs, using a plain or comparision confirmation prompt to alert the user that something will be changed.

    • jalf says:

      All browsers I know of, except Safari, *do* ask, at least once. Most give you the option of ticking a “don’t ask me again” checkbox, which is effectively the whitelist you’re asking for. :)

      The real fuckup is on Steam’s part. Having a custom protocol handler is fine, it’s a great way to allow a webpage to send messages to a custom application, but allowing it to interact with unknown third-party applications (the games on your system), or load files from paths specified in the URI is insane.

      It’s also not unlike the problem with UPlay (I think it was. Or was it Origin?) a few months ago.

      Which just underlines what I usually say: game developers don’t give a damn about security, and don’t have any kind of competences in regards to security. All the countless hacks last year were a bit of a hint, and they had at least some moderate kind of interest in protecting their servers with all their users’ account details. But something installed on your computer? They don’t give a fuck.

  12. SuperNashwanPower says:

    Can someone please explain in simple terms how to avoid anything nasty happening? I dont understand the stuff.

    • Dan Puzey says:

      Don’t click links from sources you don’t trust. Standard operating procedure, really.

      • SuperNashwanPower says:

        Is it safe to use the steam browser overlay? I need it for dark souls wiki as I suck at it.

      • LionsPhil says:

        Pretty much.

        If you’re using Firefox, go to Tools > Options > Applications (as above) and make sure Steam (and anything else except perhaps Flash, and podcasty stuff Firefox handles itself) is set to “always ask”. This is the default setting, though.

        • SuperNashwanPower says:

          **start shame-o-tron**
          I use IE9
          **stop shame-o-tron**

          • LionsPhil says:

            You’re fine; 9′s not that bad. Stick this in your IE address bar:
            By default (I’m not sure where to change it) it will pop up a “are you sure?” dialogue showing that it wants to launch Steam. Just never untick the “always ask”.

            (That link should open the store page for TF2. Unfortunately I can’t make it a real link since WordPress changes the protocol back to http. [Not great; it'd be a lot better to just strip the link entirely...])

          • SuperNashwanPower says:

            Thank you, Philip of Lion.

  13. jrodman says:

    Every significant program is full of insecure jokes. Almost no engineering shops take security that seriously, and so this is just the way it is.

    We rely on security researchers finding and pointing a finger at the fail so parts of the mess get cleaned up. This is just a healthy part of that process.

  14. Zogtee says:

    Storm, teacup, wednesday.

  15. Baines says:

    Wasn’t there concern raised over Steam’s protocol when Ubisoft’s own similar security issues came to light? I want to recall at least some people mentioning it, though it was probably lost in the “Ha ha, look at Ubisoft. Steam would never do that” noise on the net.

  16. Roz says:

    Hmm, even with protocol handlers off, Chrome will still open spotify and steam links without asking, anyone got any ideas why?

  17. malkav11 says:

    So, in essence, don’t use direct Steam links on websites (something I have literally never done) until this exploit is fixed, if ever. Gotcha. Like I say, I’ve never, ever done this. I don’t think I’ve even seen a link like that. So not too hard to avoid.

  18. crinkles esq. says:

    Not real surprised Steam has security issues. On OS X, the pages within the Steam client don’t even render half the time. The last (and only) time I tried to download a Portal 2 level, it caused a Kernel Panic. Valve may make fun games, but their code is often sloppy.

  19. Glycerine says:

    There may be more serious vulnerabilities in the full paper, but if i’m reading it correctly, the issue described in the article really isn’t that immediately serious. So far as i can tell, the attack goes as follows:

    1. Get the victim to click a specially-crafted steam:// link (requires some basic phishing or the ability to put your link in a trusted place)

    2. The link gets steam to read from a local specially-crafted .tga file (local is the key thing here – the file has to be on your computer or on a mapped network drive already)

    3. While steam processes the .tga file, it hits a buffer overflow which then presumably allows code execution.

    Number 2 seems to be the killer there – perhaps there’s some way to exploit that through temporary internet files? Otherwise they already have to have access to your computer to place the file or map a network drive.

    Not that it shouldn’t be fixed, as someone already said; taking a directory from a remote URI is insane, but i’m not sure it’s as scary as it sounds.

    • Naum says:

      Unfortunately, the buffer overflow you describe is only one of several security holes that can be exploited via steam:// URLs. For instance, the paper later mentions some command line parameters of the Source engine that can be used to write arbitrary code to arbitrary files on the local hard drive, including the Startup folder where they can be executed without the user noticing. The underlying problem here is that the Source engine’s CLI, and most likely many other games’ CLIs, was never designed to receive input from untrusted sources, which the steam:// protocol makes possible.

  20. Innovacious says:

    I see all the talk of this making the assumption that browsers handle these with no question by default? But that has never happened to me. Any time Ive ever clicked links that then need to be passed on to other applications (some types of media/emails/steam) I have always been asked first before the browser hands it over, i thought it was the default option?

    Past that though, I would never click such links if they don’t make sense anyway. I know how they work. The only ones I have ever clicked are for beta surveys directly from valve and a few i made myself to force steam to install things because steam is being “difficult”. But, I don’t really see how its really any more of a big deal than any other malicious URLs anyway. Just watch what you’re clicking and don’t be an idiot. If you don’t trust something or some place, look it up first.

    I just checked, Firefox asks when i put in a steam:// url, as does IE. Chrome doesn’t understand and just googles it, not sure how it would handle clicking such a url though.

  21. beema says:

    When would you ever encounter a steam:// link? Is this stuff from within steam itself or if you are clicking something in a regular internet browser?