Valve announced recently some new changes for developers publishing public builds to their games on Steam, requiring a phone number and a text message confirmation code.
As the announcement says "As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing". The change is due to go live on October 24th and for developers who don't have a phone Valve simply say "Sorry, but you’ll need a phone or some way to get text messages if you need to add users or set the default branch for a released app". It will also be needed for adding new users, and Valve plan to add this requirement to "other Steamworks actions in the future".
Valve didn't mention why, but it didn't take long for the reason to make its way online. It turns some developer accounts were compromised, and used to spread malware on Steam. As noted by Simon Carless on X, showing a screenshot a developer received:
Screenshot via Simon Carless, SteamDB
In reply to the X post, developer Benoît Freslon said "Hey Simon, I'm the developer of this game. ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA i s useless if the token is still active. I just used my dev account to release the game few hours before the hack I suppose."
Valve confirmed to PC Gamer the issue affected less than 100 Steam accounts with the games installed.
Article taken from GamingOnLinux.com.
BlackBloodRum Oct 12, 2023
They should absolutely be public about this.
Last edited by BlackBloodRum on 12 October 2023 at 3:01 pm UTC
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
BlackBloodRum Oct 12, 2023
Quoting: Purple Library GuyThat could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
Quoting: BlackBloodRumMany think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this diseaseQuoting: Purple Library GuyThat could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security. They compromised their customers safety, so realistically it should be public knowledge (else, a customer could be infected by their infected game and not even know it!). Even if that may only be "less than 100 Steam Accounts". I doubt this is the first incident.The developer only seems to have posted about it on their Steam forum but not in any announcement.
They should absolutely be public about this.
Kimyrielle Oct 12, 2023
Quoting: KimyrielleI wonder why Steam can't just support hardware tokens, like everyone else. I hate using phones as security tokens because they become a single point of failure (and also because I don't trust big business not to lose/abuse my phone number). :SYep, phone numbers are a laughable form of security, I don't understand why Valve still believes it's reliable enough not to be replaced by actual 2FA that doesn't require a proprietary application (at least officially).
One extra hoop to jump through, which requires a separate device as a security measure (easily broken if the user syncs their SMS to their computer though), but a very unreliable one.
Come on, Valve.
Quoting: Nateman1000Quoting: BlackBloodRumMany think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this diseaseQuoting: Purple Library GuyThat could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
This is probably ignorance in my part, but how is security better with Linux in this situation? We're (mostly) running these programs wide open out of the home drive (maybe some ppl are using flatpack or snap, but even then that's not a default requirement on most distro and people still poke holes in those sandboxes regularly). No, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.
Maybe I'm missing something fundamental with Linux security, but it seems once I log in anything within the user space can run under my permissions, malware or not? Especially if it's malware hidden in a program/game that I intentionally started?
I've used Linux a very long time, but I'm self taught.... Security is one of those Linux areas that's always been complex for me to grasp in a meaningful way.
Patreon
PayPal
See more from me