Steam Bans Dev for a Year For Exploiting Potentially Harmful Script Tag Bug
Vulnerability would have potentially allowed hackers to redirect users to harmful websites.
Developer Tomas Duda has been banned from Steam for reporting a script tag error to Valve which could potentially be used by hackers to redirect gamers to harmful websites.
The Euro Truck Simulator developer realised that users could use script tags on Steam to redirect visitors to another site. Duda sent people to the Harlam Shake video but as he points out, the vulnerability could easily be used to send people to phishing websites or to steal personal information.
I was talking about the script tag vulnerability multiple times. No one fixed it. Now I did Harlem Shake for fun (yay for #steamdb).— Tomáš Duda (@tomasduda) June 15, 2014
Imagine if someone used the vulnerability to steal users' session IDs? Redirected to a phishing site?— Tomáš Duda (@tomasduda) June 15, 2014
For discovering the flaw in Steam's code and bringing it to Valve's attention, Duda was banned from Steam and the client's Partner access program.
Jesus fucking Christ, Valve. This for making you finally fix a vulnerability? Seriously? pic.twitter.com/NWOkdgylWk— Tomáš Duda (@tomasduda) June 15, 2014
I also lost my Steamworks Partner access.— Tomáš Duda (@tomasduda) June 15, 2014
Despite this, it seems that Valve has yet to actually fix the error.
Valve, you still haven’t really fixed the vulnerability… pic.twitter.com/7E7NVi61Me— Gran PC (@GranPC) June 16, 2014
With over 70 million Steam users, the amount of data which could be potentially compromised by altering script tags is enormous as is the potential for harm to users' systems.
We'll update this story as it develops.