The brand new Steam Chat has just launched. Barely 24 hours later and rumblings of a possible exploit and “spying” have surfaced.
According to Reddit user u/Presistan, it was possible to exploit Steam Chat. This would allow you to listen to your friends without them knowing. Other users were alarmed and chimed in, and soon the post was shared on other subreddits as well. To some, it felt like a serious breach of trust, a violation of laws, or, simply put, spying.
Steam Chat gets a quick fix
Sometime later, Valve representative u/jmccaskey replied in the thread, and he couldn’t help but throw some shade at Presistan.
We fixed this, thanks for reporting. In the future, it is generally better to report anything you think might be a security issue on HackerOne where we can act on it without first telling the entire world how to exploit it. Then you can responsibly disclose the issue after a fix is out.
Fortunately, in this case, if you were kicked you continued to show up as in the voice chat in your own friends list, and you could leave from there. You were in a weird state transmitting but not receiving, but you would have still seen that you were in the voice chat.
In some ways, the Valve representative does have a point. While nobody wants their privacy to be exploited through Steam Chat, it’s probably not a good idea to tell the world about a way of doing so. After all, we live in an interconnected, digital world filled with strangers. We’ll never know how many bad apples out there are looking to cause harm. The Steam Chat vulnerability might be something they wouldn’t have known about had it not been highly publicized.
That’s why jmccaskey mentioned Steam’s program with HackerOne where white hat hackers and computer wizards check vulnerabilities in the system. It would be more responsible to report a security issue there rather than telling millions about it.