Catalin Cimpanu / ZDNet
Catalin Cimpanu / ZDNet
Security Researcher Reveals Second Zero-Day Bug in Steam Gaming Client After Being Banned by Company and HackerOne For Disclosing Earlier Zero-Day Flaw
Russian security researcher Vasily Kravets published details about a second zero-day vulnerability in the Steam gaming client after he was banned by Steam and Hacker One from Steam’s bug disclosure platform following Kravets’ public disclosure of another zero-day vulnerability in the platform earlier this summer. Although Valve issued a patch for the first bug, it proved to be insufficient. Another security researcher Matt Nelson also revealed he found the same exact bug after Kravets which he too reported to Valve’s HackerOne program, only to go through a similar bad experience as Kravets. Nelson said both HackerOne and Valve took five days to acknowledge the bug, refused to patch it and locked the bug report when Nelson wanted to disclose the bug publicly and warn users. Kravets’ second Valve zero-day, which, like the first, is another EoP/LPE (escape of privilege or local privilege escalation) in the Steam client, allows malicious apps to gain admin rights through Valve’s Steam app. Part of Valve’s difficulty in dealing with this problem is that it appears to consider EoP/LPE vulnerabilities as “out-of-scope” for its HackerOne platform, meaning the company doesn’t view them as security issues despite the fact that most other companies do.
BleepingComputer.com: Second Steam Zero-Day Impacts Over 96 Million Windows Users
Slashdot: Researcher Publishes Second Steam Zero Day After Getting Banned on Valve’s Bug Bounty Program
amonitoring: One more Steam Windows Client Local Privilege Escalation 0day
Hacker News (ycombinator): Researcher banned on Valve’s bug bounty program publishes second Steam 0-day (zdnet.com)
THE INQUIRER: Researcher banned from Valve’s bug bounty exposes second Steam zero-day
The Register: Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty
Security Affairs: A new Zero-Day in Steam client impacts over 96 million Windows users
@viss: i am disappointed that valve does this kinda stuff
@psidragon: Valve banned me on their H1 program. So... I release new #ZeroDay #PublicDisclosure EoP vulnerability at Steam. Another #0day. Rus - https://habr.com/ru/company/pm/blog/464367/ Eng - https://amonitoring.ru/article/onemore_steam_eop_0day/
@enigma0x3: @steam_games that’s not really how that works. You can’t pick and choose what you define as a vulnerability. Your software is breaking the Windows security model.
@MalwarePatrol: Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty. https://theregister.co.uk/2019/08/22/steam_zeroday_valve/ via @TheRegister