Researchers Discover Critical Steam Vulnerability
This isn't exactly what anyone wants to hear, but it is what it is. Security research firm ReVuln have discovered a new vulnerability with Valve's Steam software, in that an attacker can abuse certain protocols to trick a user into opening malicious URLs. Whenever Steam is installed on a system, it registers itself as a steam:// URL protocol handler. Anytime someone clicks on a steam:// URL in a browser or chat program, that URL is sent along to the Steam client for execution. Those URLs can tell a game to install or uninstall, download updates, backup files, start games, and more. It is those commands an attacker can exploit, especially since some browsers do not ask a user for confirmation before handling the steam:// URL.
ReVuln states Internet Explorer 9, Google Chrome, and Opera all show a warning and display the URL, while Mozilla Firefox just has the warning. Safari does neither of those things, and simply executes the command. According to ReVuln:
All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls. Additionally for browsers like Internet Explorer and Opera it’s still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself.
Valve has not commented on this report, but hopefully it issues a statement and patch shortly to correct it.