There was a pretty massive security flaw in Steam's code for, um, 15 years

There was a pretty massive security flaw in Steam's code for, um, 15 years

Valve has only just plugged a security flaw that has existed in Steam's code for a decade and a half.

The oversight was discovered by Context Information Security's Tom Court in February, who has written a pretty detailed blog post that goes in-depth into the flaw.

In short - every single user was exposed to hijack attempts from third-parties. Court says that the flaw was in Steam's code from its early days and was never addressed because no-one attempted to exploit it. The custom Steam protocol did not check the first data package exchanged, leaving it open to exploitation from malevolent parties. 

Within half a day of being reported, Valve rolled out a patch to address this on its Steam beta branch before a full roll-out on March 22nd.

The Pacific West-based company has since announced a bug bounty for pretty much any of its services, including Steam. It's possible that this extremely concerning revelation could have been the impetus for this.

PCGamesInsider Contributing Editor

Alex Calvin is a freelance journalist who writes about the business of games. He started out at UK trade paper MCV in 2013 and left as deputy editor over three years later. In June 2017, he joined Steel Media as the editor for new site In October 2019 he left this full-time position at the company but still contributes to the site on a daily basis. He has also written for, VGC, Games London, The Observer/Guardian and Esquire UK.


No comments
View options
  • Order by latest to oldest
  • Order by oldest to latest
  • Show all replies