
Researcher banned on Valve's bug bounty program publishes second Steam 0-day - tareqak
https://www.zdnet.com/article/researcher-publishes-second-steam-zero-day-after-getting-banned-on-valves-bug-bounty-program/
======
PeterisP
I mean, you can't have your cake and eat it too - if you claim that a
particular issue is not a bug and you won't fix it, then you have no ethical
grounds to say that it shouldn't be disclosed.

Responsible disclosure expects delaying public disclosure to protect the users
while the vendor prepares a fix. If the vendor says that they won't fix it,
then it's not only a right, but a moral duty to disclose that vulnerability to
the users.

~~~
Mindless2112
Frankly, I think HackerOne deserves a bit of blame for that. Any WONTFIX ought
to be made public automatically unless there are extenuating circumstances
(like the vulnerability being reported against the wrong product).

~~~
daeken
H1 itself has no WONTFIX status, FYI. A bug that's not considered to be a bug
by the program will either be closed N/A or informative. Ultimately,
disclosures are handled and controlled by the program, not by H1; this is both
a good and bad thing (and I say that as both a HackerOne employee and a hacker
on the platform -- it's a complicated issue from both sides).

~~~
kop316
It's complicated on both sides means there is politics involved. Being blunt,
that sounds like a cop out to me.

This sounds to me like an edge case that H1 should address if it really wants
to be taken seriously.

~~~
daeken
There is definitely politics involved, but not H1 internal. The issue is that
every program handles disclosure itself, so H1 itself doesn't really have the
power. That could be changed at a policy level, but I'm not sure that'll
happen (or should happen, honestly; I don't really know where I land on it).

~~~
chris_wot
H1 could make it a proviso if using their service that rejected but reports
are automatically disclosed.

~~~
tptacek
1\. The overwhelming majority of rejected H1 reports are garbage.

2\. It is not the case that all _reporters_ want their findings disclosed
publicly, even if they're rejected.

3\. Reporters already retain the right to publish findings however they'd
like. The worst H1 or a client can do is kick you off the platform.

4\. A bug bounty platform that mandated disclosure of any sort would lose all
its customers to the platform that didn't have that mandate.

~~~
awirth
"The worst H1 or a client can do is kick you off the platform."

As a hacker on hackerone, this is not my understanding of the relationship.
Generally speaking the programs give you "authorized access" under the CFAA
_conditional on following the disclosure guidelines_. I don't know about for
other countries, but for the US I'm pretty sure this means that breaking the
guidelines means you've retroactively committed a felony.

Now seems a little questionable about if any federal prosecutor would actually
take the case, but it definitely doesn't seem like a strictly civil issue to
me.

Strongly agree on all other points though.

~~~
anticensor
> you've retroactively committed a felony.

There is no such thing as a retroactive crime in rule of law systems.
Disclosure could be a considered an offense in its own, though.

~~~
tptacek
How?

------
c3534l
I see this as an example where the system works. Valve has an incentive to pay
for bugs. The researcher than has an incentive to disclose them privately. If
Valve doesn't pay fairly, the bug is disclosed, Valve pays the price and is
forced to fix it, and be running a scam of a bug bounty program, they've
exposed themselves to more disclosures. Valve now has an incentive to fix
their program either by working with this bug hunter or increasing payouts so
other hunters beat him to the point. This is how the system should work.
Decentralized self-regulation needs people like Valve to fuck up once in a
while so that the forces at play sufficiently punish them until they improve
their process.

~~~
jupp0r
The meta-process might work, Valve's process is still broken.

~~~
jay_kyburz
Everybody makes mistakes, lets see if they can learn from theirs. I haven't
heard that they keep making this same mistake (but I could be wrong.)

~~~
jupp0r
This happened end of June, they should have had ample time to reach out to
@viss, make amends and change their process.

~~~
jay_kyburz
follow up
[https://www.gamasutra.com/view/news/349352/Valve_tweaks_bug_...](https://www.gamasutra.com/view/news/349352/Valve_tweaks_bug_bounty_program_after_mistakenly_turning_away_researchers.php)

------
ChuckMcM
This story continues to be so sad. Steam is reprising the role of Adobe who,
for quite a while, refused to acknowledge that being able to use FlashPlayer
as a tool to get you something on Windows was just as bad as breaking
FlashPlayer. I heard one Adobe executive say, "Hey you can use a baseball bat
to bludgeon someone but that isn't the bat maker's fault is it? If they are
forced to make foam bats their product is useless."

That position isn't "wrong" so much as it isn't useful in reducing risk.

~~~
fortran77
You're beating a dead horse. Flash served a purpose once, and now it's reached
end-of-life.

~~~
vorpalhex
> You're beating a dead horse

With a foam bat. Just because the flash horse is dead doesn't mean it didn't
deserve it's beating or can't continue to be a potent reminder of how bad
Adobe was at handling security issues and why other platforms, like Steam,
should learn instead of emulate.

~~~
dmix
This also has nothing to do with Flash specifically, rather as you said
Adobe's policy. It could have been any software but especially for Flash.

Flash was just such a unique special target, ala PDFs and Microsoft word,
there were few wide open targets from which a hacker could predictably get the
user to open (whether embedded or not) on a targets machine. So it was
particularly sensitive to vulnerabilities by design, where a much broader
security perspective was clearly needed than most software.

------
batatati
Maybe it is also time to switch from the prehistoric model of "hey let's
download a .exe on the web, execute it without any sandbox, and let that .exe
install other .exe from thousands of other unknown sources around the world
and run them without any sandbox either."

Steam or any other app should always run sandboxed with no root access, no
file access, no camera access, no access to other process, etc. For most
users, steam only needs a sandboxed local storage to put its game into it and
a internet access (and maybe mic access), that's it.

I really hope Flatpak and something similar for Window becomes the norm, the
current situation is a security and privacy disaster.

There can still be exploits of course but now you have the find a weakness
both in the app + in the OS sandbox which is a whole lot harder

~~~
tus88
> prehistoric model of "hey let's download a .exe on the web, execute it
> without any sandbox, and let that .exe install other .exe from thousands of
> other unknown sources around the world and run them without any sandbox
> either."

What year is it? To me prehistoric means buying a nice big box with a CDROM or
some floppies and installing with no internet required at all. Shell exes that
want to download crap is the current nightmare we are living in I thought.

~~~
andrewprock
See also: [https://brew.sh/](https://brew.sh/)

------
jacobkg
The salient part seems to be that the researcher reported the first
vulnerability through HackerOne and was (reportedly) told by Steam it wouldn’t
be fixed. He then published it after being instructed that was against the
rules and was banned

~~~
codedokode
I wanted to note that the researcher was not banned at HackerOne, he was only
banned from reporting bugs to Valve. This is written in the article about a
second vulnerability [1]

[1]
[https://amonitoring.ru/article/onemore_steam_eop_0day/](https://amonitoring.ru/article/onemore_steam_eop_0day/)

------
Havoc
Drama aside.

Valve...I have your software installed. It has a hole. Fix it.

This mudslinging isn't helping your PR or making me feel more secure about my
steam install regardless of the details.

~~~
A4ET8a8uTh0
I agree. As a user, I do not care who is at fault much, but I do expect the
platform you provide to be somewhat secure.. especially after you are told it
is not.

I basically uninstalled Steam client after first 0day was found. At least with
gog I don't have install galaxy. But thats a different rant..

------
busterarm
My opinion, not my (HackerOne customer) employer's:

I know this will be unpopular with folks like tptacek, but I've always felt
strongly that bug bounty programs offer too many perverse incentives to all
parties.

More often than not it becomes a tool for companies to sweep issues like this
under the rug and then use HackerOne's system to force the reporters to play
ball (because they want to keep getting paid). I hate this sytem.

I'm 100% behind open, public disclosure and if it were my own product in
question, I would offer bounties for _public disclosures_. That keeps everyone
honest.

~~~
wolco
I agree with you from the other side. Before these programs people would
disclose issues to the public. The company found out like everyone else. They
would fix it immediately because they had to.

Now they can hide it for months(ever) allowing others to discover them and
keeping the researchers quiet.

~~~
CraftThatBlock
A normal process goes like this:

\- Researcher finds bug

\- Researcher discloses to vendor

\- Vendor fixes (or not)

\- Researcher discloses bug publically once vendor has fixed, or after X time
(whichever is first)

This is roughly how Project Zero goes, and it's a good mix between giving the
vendor the opportinity to fix it and deploy the update before it gets
exploited.

It's very naive to assume that bugs can be fixed before others can exploit
them. Bugs take time to fix, and the process takes time, especially when
dealing with large enterprises.

~~~
xigency
Why is it whichever is first and not after a fixed time? I see a benefit to
waiting X time regardless, because it allows more time for the patch to
circulate to everyone. What is the benefit to disclosing it immediately after
it is "fixed"?

~~~
CraftThatBlock
It's typically not immediately after it's fixed, but usally about a week or
so, to let the majority update.

The vendor can also usually request an extension, as per the Project Zero
guidelines, of I believe 1 month if they confirm to be actively working on a
patch.

The goal of responsible disclosure is to help the vendor and their users' be
more secure, so having a policy that is balence between the two is important
to let the vendor fix it, and to not let the users be possibly hacked

------
stOneskull
They're arrogant and lazy. Just say thank you and fix it. I hope GOG and
HumbleBundle get a nice boost in sales.

~~~
babuskov
> I hope GOG and HumbleBundle get a nice boost in sales.

While there are some DRM-free games, majority of games on HumbleBundle are
sold as Steam keys, so you still need Steam to launch them.

~~~
bscphil
I seem to recall the HB site, in the early days, saying something to the
effect of "Our promise: 100% DRM free games". They even did a bunch of bundles
that donated part of the proceeds to the EFF. It's sad to see them as just
another front for Steam sales.

~~~
driverdan
They're owned by Ziff Davis. It's not surprising.

------
mordae
This sucks. We run steam on some public PCs with unprivileged accounts and we
wouldn't be very happy to find that users were able to gain admin access and
steal other people's passwords through a keylogger. Sigh.

~~~
sushisource
That seems to me the most obvious problem use case here. How can Valve
possibly think that isn't important?

~~~
chii
because their security model is too myopic. By defining security vulnerability
to be only remote code execution from within the steam client, they save
themselves a tonne of work (and cost).

I can understand that perspective - steam can't spend the time to rewrite to
fix the EoP/LPE issues. Their stance must be that the user has to "be careful"
not to install malware or other vulnerable software, instead of fixing steam.

------
yellowapple
This wouldn't be anywhere near as severe a problem as it is if Steam's service
wasn't running as something as ridiculously privileged as NTAUTHORITY\SYSTEM.

On the plus side, reading the writeup [0] it seems unlikely that this affects
the Linux client (or even if it does, it's at least limited to the current
user account). So I guess Steam can continue to live on my machine for another
day.

[0]:
[https://amonitoring.ru/article/onemore_steam_eop_0day/](https://amonitoring.ru/article/onemore_steam_eop_0day/)

------
notyourday
I'm amused that anyone does not have a cynical view of H1. H1 is an equivalent
of HR for cyber. It exists not to deal with issues or address problems, rather
it exists to help companies to manage bad exposure. That's how H1's bread is
buttered.

------
ChrisSD
Just a reminder: you can disable the Steam service and still play your games.

Some Steam features will be disabled or broken but whether or not this affects
you will obviously vary depending on which ones you like to use.

------
ssully
I wonder if this is a product of Valve's free-form company structure. If as a
Valve employee, you have the autonomy to float between projects, how do you
maintain a strong security team? Do they even have a dedicate security team?

~~~
abtinf
I've worked with extremely competent security professionals before. Those
people _love_ and are _fanatical_ about security. Based on my experience, it
seems a near certainty that Valve doesn't employee even a single such person.
These people raise hell if security is ignored and have a job freedom that
makes typical software engineers look like panhandlers.

~~~
Traubenfuchs
That is why many people hate security cybersecurity professionals:
[https://thenextweb.com/security/2019/01/25/everybody-
hates-c...](https://thenextweb.com/security/2019/01/25/everybody-hates-
cybersecurity-professionals/)

------
dsourajit
There's a follow-up article. [https://www.zdnet.com/article/valve-patches-
recent-steam-zer...](https://www.zdnet.com/article/valve-patches-recent-steam-
zero-days-calls-turning-away-researcher-a-mistake/)

------
throwaway156503
Since Valve stopped producing games, I wonder what their net income per
employee is based on assets they own less revenue produced by third-parties
through Steam.

If you look at just the assets Valve produces minus rent seeking, are they
losing money?

------
codesushi42
Yet another reason to switch to GOG.

------
tzakrajs
Valve figured out how to print money by hooking teenagers with gambling on
loot boxes. They stopped having to create AAA titles, they stopped having to
do anything remotely creative, and now they are a giant cancer with no value
left to add. Their client is an insecure, slow, instable piece of shit and has
been this way for well over a decade. I regret being a customer of theirs.

~~~
zelon88
I remember listening to some of their commentary tracks where the employees
talk about how their desks had wheels, there's no managers, and there's no
deadlines and no stress. They also at one time had higher profit per employee
than Google! [1]

Turns out that all along having no accountability in your company would result
in complacency and a critical lack of production. I'm curious to see how Valve
Software as a company is going to climb over this security wall they've found
themselves in front of if seemingly nobody has to answer to anyone and
everybody gets to do what they want in a leisurely fashion. I mean we give
Chinese IoT vendors crap all day long, and it turns out Steam might be just as
bad!

[1]
[https://www.forbes.com/sites/stevedenning/2012/04/27/a-glimp...](https://www.forbes.com/sites/stevedenning/2012/04/27/a-glimpse-
at-a-workplace-of-the-future-valve/#138f96275577)

~~~
caconym_
I heard somewhere it's very stressful, toxic politics and so on. Not sure
where but it's interesting to see a report to the contrary.

Personally I always thought it would be cool to work at Valve, but not
anymore. I don't see them doing anything broadly relevant that doesn't involve
coasting on the momentum/market share of ancient products. Their VR stuff is
cool, but even there it feel like they're lagging behind e.g. Oculus in ways
that matter.

~~~
esyir
Eh, every review of the index has put it head and shoulders over any rift
version so far. I'm not sure if we'd consider that "lagging behind oculus"

~~~
caconym_
It's a premium product, and if I were going to buy a new VR headset right now
it'd be the Index, but it's not a generational leap (it's basically a Vive++)
and I've lost confidence in Valve to produce such a leap, let alone to bring
VR gaming to the mainstream.

I'd love to be proven wrong, because I dislike Oculus. I am simply stating my
observation that Valve seems to be in decline.

------
bogwog
From what I've read, the original bug involved malware already installed on
the PC using the Steam client to run other code. While I'm not a security
expert in any way, that doesn't seem to me like a huge exploit. If the attack
requires installing malware on the victim's computer, why not just do the evil
stuff directly with that malware? If that's the case and I'm not just
remembering it wrong, then I could see why Valve wouldn't want to pay up _and_
could see why this guy would go on a social media rant to slander Valve either
hoping they'll pay up or just to get petty revenge.

~~~
zelon88
Lets say you and your brother share a PC, but you're the admin. You both play
Steam. His account has no password. I steal the laptop. I log in as him. I pop
a SYSTEM shell using Steam. I reset your admin password.

" _Damn_ , you watch some weird porn."

~~~
dwild
Wouldn't you be able to do the same simply by looking at the file system
without any access to admin privileges?

I'm not arguing that this vulnerability isn't one, it's a privilege escalation
vulnerability, however in your situation you got physical access which is as
far as I know, pretty much game over for your system.

~~~
poizan42
Not if they haven't granted access to the files to you. In fact by default the
files in a user's home folder (including Documents, Videos etc.) are
inaccessible to other (non-privileged) users on Windows.

~~~
thethirdone
If they have physical access, then they don't need to boot into Windows. They
could boot from a flashdrive and access any files they want.

~~~
zelon88
This is true, and also why I lock down my BIOSs and set the OS as the only
boot device. TRK is a bootable portable linux specifically for resetting and
unlocking local admin accounts.

Encryption, however, cannot be broken without your credentials. These can be
obtained from default running instance of Windows with Mimikatz if the admin
credentials are still in memory from an earlier session.

~~~
thethirdone
Yeah, there are definitely ways of securing versus someone with physical
access, but I expect most machines with a non-sandboxed steam installed
probably don't have them.

This privilege escalation attack is probably never going to be used if the
attacker has physical access.

------
EnFinlay
a) Program has scope that doesn't include X

b) Researcher reports vulnerability that falls under X

c) Since it's out of scope, it's closed as N/A

d) Report is locked because company doesn't want to publicly disclose a
vulnerability in their system via the Hackerone platform

What's the problem here? Just go with normal vulnerability disclosure. Bug
bounty programs are a two way street, and respecting the scope is part of
that.

Edit: I guess the important part is that the researcher was then banned for
disclosing the report. Seems reasonable, honestly. I don't agree with it, but
I understand it.

~~~
zelon88
Acknowledgement is one thing. Disclosure is another.

If Steam had no problem acknowledging that this functionality exists, they
should have had no problem with it being disclosed. There lies the problem. In
the bathroom with the needle in their arm; "...there's no problem here..." but
if you swing the door open they'll still try to shut it. Because they know
they're wrong.

If HackerOne isn't going to help you they have no right to hinder you. If they
want to strongarm everyone into effectively the same agreement as an NDA then
there literally is no point in turning vulnerabilities into HackerOne.

They seem to only exist as a cow-catcher on the locomotive of software vendors
too lazy to actually fix crappy code.

"Who needs to fix code and shell out bounty if you can pinpoint and silence
the researcher?"

~~~
daeken
> If HackerOne isn't going to help you they have no right to hinder you. If
> they want to strongarm everyone into effectively the same agreement as an
> NDA then there literally is no point in turning vulnerabilities into
> HackerOne.

The article gets this part wrong: the hacker isn't banned from H1, which he
says in his blog post -- "Eventually things escalated with Valve and I got
banned by them on HackerOne — I can no longer participate in their
vulnerability rejection program (the rest of H1 is still available though)."
HackerOne is in no way punishing the hacker for his reports and/or public
disclosures, for what it's worth.

(Disclosure: I am on the community team at H1, though I've had effectively
zero involvement with this.)

