Valve has fixed a zero-day exploit in the latest Steam beta, released earlier today, that could potentially be used to mount an escalation of privilege attack. Interestingly, this was after much public outcry by the security researchers who found the bug about Steam's refusal to acknowledge their work.
Vasily Kravets, a self-described Windows Privilege Escalator, first publicised the exploit, which could affect millions of Windows users running Steam, earlier this week. In a blog post, he described in detail how manipulating some of the registry keys associated with the Steam Client Service could be used to mount an escalation of privilege attack on a PC, allowing one to run "any program with the highest possible rights on any Windows computer with Steam installed," according to Kravets.
Kravets' disclosure was made only 45 days after his initial report. This is half of the standard 90-day limit that is usually adhered to in the industry. Kravets claimed this is due to Valve's lack of acknowledgement for his work.
The researcher first raised the issue with HackerOne, a bug bounty platform that Valve approves of. However, his report was marked as "not applicable" by HackerOne staff because they claimed it was an example of "attacks that require the ability to drop files in arbitrary locations on the user's filesystem". After some finagling with HackerOne, Kravets was finally able to get approval to send the report to Valve's security team but his report was rejected again for the same reason, with the added qualification that the attack "requires physical access to the user’s device".
Despite rejecting his report, HackerOne staff also prohibited him from disclosing the vulnerability to the public, an admonishment he clearly didn't abide by. A second researcher, Matt Nelson, has also published a proof of concept for the same exploit. Nelson also complained about a big company refusing to acknowledge his reports back in June. He then fingered Valve as the company back in July, remarking "Good luck reporting anything that doesn’t fit their crappy bounty scope." Following Kravets' disclosure, he finally published his proof of concept this week as well.
We reached out to both HackerOne and Valve to enquire about the reasoning behind the rejection of Kravets' report. A Steam spokesperson pointed us to the release notes for the latest Steam beta, which has fixed the issue. He also stated, "We will be reviewing our HackerOne protocol and potentially making some updates to that as well." HackerOne reiterated that they were looking into the issue, but had no comment at this time.