OFFICIAL SECURITY BLOG
June 17, 2014 | BY Christopher Boyd
Here’s a curious one – a game developer working for SCS Software found an issue on Valve Corporation’s Steam Community Announcements, which he claims he’d reported previously but with no sign of a fix.
You can check out what happened next on Reddit, or avoid the liberal smattering of swearwords and read the below extract instead:
“Short version of what happened:
<script>tags were allowed in community announcements. We were talking about weird Steam’s HTML parsers in the #steamdb channel, and then Harlem Shake happened.”
“Harlem Shake happened”? Well, that can’t be good.
The dev went to an old community post related to one of their own games – Euro Truck Simulator 2 – and used his tag skills to redirect visitors to a Harlem Shake video.
Steam weren’t very happy about this display of XSS and promptly banned said dev from Steam Community Resources for 52 weeks. It seems he also lost some developer privileges too.
The dev in question (Tomas Duda) posted a lot of information to his Twitter feed but it seems to have been deleted since yesterday.
Much of it is archived over on the Neogaf forums, if you want a closer insight into what went down (warning: some swearing. Again).
Opinion is sharply divided on whether or not he did the right thing – should he have gone public, or given Valve more time to fix it?
Was Valve going to address it at all, given he claims he’d notified them in the past with no success?
Regardless of his intentions, the moment he made active use of what he’d discovered Valve had him bang to rights – there was never going to be a happy ending for his account after that.
Whatever you think of his actions, this one will run and run from the looks of it. It appears Devs were a “trusted entity” on Steam resources and not considered a potential attack vector, which may be why they were allowed to use code in this manner.
The flipside of this is that it would only take one compromised account to cause some havok – so perhaps Valve may be having another look at developer posting permissions and plugging a few leaks.
As for poor old Tomas, he may need to hitch a ride back to developer town…