Valve overlooked a vulnerability in the Steam client that left all users exposed to possible hijack attempts for a good 15 years. The flaw existed within some very old code, and was apparently left alone because it worked and nobody thought to test it.
The vulnerability was exposed by researcher Tom Court from Context Information Security, who immediately notified the developer of his findings. Valve had supposedly neglected to include a check on the first packet of data delivered through its custom Steam protocol communication. Court provides a full write up of the issue through the Context blog.
How the vulnerability went undetected for over a decade is still uncertain, although Valve itself moved extremely quickly once notified of the problem. The company became aware of flaw on 20 February 2018, and managed to issue a beta patch within 12 hours. A stable patch was released about a month later.
Details of the incident are only being published now due to security concerns and ensuring that users have had time to patch their Steam clients. Thankfully, the client automatically downloads updates and forces them on users at startup.
[Source: Context]
