With over 50 million members, Steam has become the number one online digital content delivery platform for PC games. Perhaps it is for this reason that Valve, Steam’s developer, quietly applied a fix to a HTML-related vulnerability that was discovered by Ars Technica’s Senior Gaming Editor Kyle Orland.
Orland discovered the vulnerability while fiddling with Steam’s profile settings and examining the source code – which is easily accessible on today’s browsers. The vulnerability allows for information for accounts set to “Private” or “Friends Only” to be viewable via the browser’s source code viewer. By adding extensions to the URL and then looking at the HTML code, anyone can view a user’s info stored on Steam such as their game library, recent purchases and even load the Achievement page from a game on their libary.
Upon finding – and documenting – the vulnerability, Orland contacted Valve to notify them about it. Interestingly, it was found that Valve applied a fix to the vulnerability within three hours after being notified. However, the company did not reply to Orland to acknowledge his discovery. Nor was there any official statement regarding the matter. Ars notes that Valve’s silence is vastly different to other software giants such as Microsoft and Google, who actively participates in user feedback regarding the security of its software. The company’s silence, Orland postulates, may “discourage future private disclosure of security flaws”.
For a more detailed description of the vulnerability, head on to the source link below.
(Source: Ars Technica)