Valve Steam Chat recently fixed an exploitable “spying” issue after launch

Valve Steam Chat recently fixed an exploitable “spying” issue after launch

The brand new Steam Chat has just launched. Barely 24 hours later and rumblings of a possible exploit and “spying” have surfaced.

According to Reddit user u/Presistan, it was possible to exploit Steam Chat. This would allow you to listen to your friends without them knowing. Other users were alarmed and chimed in, and soon the post was shared on other subreddits as well. To some, it felt like a serious breach of trust, a violation of laws, or, simply put, spying.

Steam Chat

Steam Chat gets a quick fix

Sometime later, Valve representative u/jmccaskey replied in the thread, and he couldn’t help but throw some shade at Presistan.

We fixed this, thanks for reporting. In the future, it is generally better to report anything you think might be a security issue on HackerOne where we can act on it without first telling the entire world how to exploit it. Then you can responsibly disclose the issue after a fix is out.

Fortunately, in this case, if you were kicked you continued to show up as in the voice chat in your own friends list, and you could leave from there. You were in a weird state transmitting but not receiving, but you would have still seen that you were in the voice chat.

In some ways, the Valve representative does have a point. While nobody wants their privacy to be exploited through Steam Chat, it’s probably not a good idea to tell the world about a way of doing so. After all, we live in an interconnected, digital world filled with strangers. We’ll never know how many bad apples out there are looking to cause harm. The Steam Chat vulnerability might be something they wouldn’t have known about had it not been highly publicized.

That’s why jmccaskey mentioned Steam’s program with HackerOne where white hat hackers and computer wizards check vulnerabilities in the system. It would be more responsible to report a security issue there rather than telling millions about it.

Related to this article
  • Discord storefront announced
  • Play these select fighting games featured at EVO for free this weekend
  • Get DiRT Rally, GRID 2, F1 2017, and more together for under $12 – Humble Bundle
  • Comments: 1
    • Mygrn

      I have two scenarios I see here for ANY company in a similar situation. One where I tell everyone and their brother about the problem such as the aforementioned article or I do what Steam suggested and go to the company quietly or HackerOne or whomever is proper to quietly solve the problem.

      Regardless of either scenario there is a time where the average Joe doesn’t know there is a problem. They continue chatting, banking, or what-have-you completely unaware that whatever they’re doing is being either stolen, leaked, eavesdropped, and so forth.

      Scenario 1: Blab to the world.

      PROS: Everyone now knows there is a problem and can react as they need to by stop chatting, banking, or ignore the issue as THEY so choose immediately. This also forces to the company to react ASAP for damage control and they can’t try to sweep that it happened under a rug.

      CONS: There is a time where greatly more people know about the vulnerability and can exploit it before it’s fixed. You may be held liable for releasing the info.

      Scenario 2: Keep it quiet and inform the proper people.
      PROS: Nobody but you, whomever you informed, and possibly other people like you know there is a problem. It’s much less likely that someone can abuse the vulnerability before its fixed. The company doesn’t have to do damage control as much.

      CONS: Regular people are unknowingly continue dealing with a compromised system which OTHERS may be currently abusing. The company can put it on a back burner if they deem it ‘less important’. They can hide that it even happened from people. You may be held liable anyway and especially so if then the vulnerability is then exposed or abused.

      I personally would rather know of an issue, realize this stuff happens to any company, react accordingly, and figure it’ll probably be fixed soon then to find out that my identity is stolen, my bank accounts emptied, or whatever without any way to protect myself or at least realizing what happened.