Valve announced recently some new changes for developers publishing public builds to their games on Steam, requiring a phone number and a text message confirmation code.
As the announcement says "As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing". The change is due to go live on October 24th and for developers who don't have a phone Valve simply say "Sorry, but you’ll need a phone or some way to get text messages if you need to add users or set the default branch for a released app". It will also be needed for adding new users, and Valve plan to add this requirement to "other Steamworks actions in the future".
Valve didn't mention why, but it didn't take long for the reason to make its way online. It turns some developer accounts were compromised, and used to spread malware on Steam. As noted by Simon Carless on X, showing a screenshot a developer received:
Screenshot via Simon Carless, SteamDB
In reply to the X post, developer Benoît Freslon said "Hey Simon, I'm the developer of this game. ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA i s useless if the token is still active. I just used my dev account to release the game few hours before the hack I suppose."
Valve confirmed to PC Gamer the issue affected less than 100 Steam accounts with the games installed.
Article taken from GamingOnLinux.com.
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
Nateman1000 Oct 12, 2023
I mean they gotta do what the gotta do
1 Likes, Who?
BlackBloodRum Oct 12, 2023
Why is the game blurred? This developer should put their hands up and admit they failed basic computer security. They compromised their customers safety, so realistically it should be public knowledge (else, a customer could be infected by their infected game and not even know it!). Even if that may only be "less than 100 Steam Accounts". I doubt this is the first incident.
They should absolutely be public about this.
Last edited by BlackBloodRum on 12 October 2023 at 3:01 pm UTC
They should absolutely be public about this.
Last edited by BlackBloodRum on 12 October 2023 at 3:01 pm UTC
5 Likes, Who?
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
15 Likes, Who?
BlackBloodRum Oct 12, 2023
Quoting: Purple Library GuyThat could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
9 Likes, Who?
I find it kind of weird that we've had to provide a login every time we have to pay, but that devs could just change public facing builds without any form of extra explicit authentication. Sounds like something that should have been done a long time ago.
5 Likes, Who?
Nateman1000 Oct 12, 2023
Quoting: BlackBloodRumMany think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this diseaseQuoting: Purple Library GuyThat could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
3 Likes, Who?
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security. They compromised their customers safety, so realistically it should be public knowledge (else, a customer could be infected by their infected game and not even know it!). Even if that may only be "less than 100 Steam Accounts". I doubt this is the first incident.The developer only seems to have posted about it on their Steam forum but not in any announcement.
They should absolutely be public about this.
1 Likes, Who?
Kimyrielle Oct 12, 2023
I wonder why Steam can't just support hardware tokens, like everyone else. I hate using phones as security tokens because they become a single point of failure (and also because I don't trust big business not to lose/abuse my phone number). :S
8 Likes, Who?
Quoting: Nateman1000Quoting: BlackBloodRumMany think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this diseaseQuoting: Purple Library GuyThat could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
This is probably ignorance in my part, but how is security better with Linux in this situation? We're (mostly) running these programs wide open out of the home drive (maybe some ppl are using flatpack or snap, but even then that's not a default requirement on most distro and people still poke holes in those sandboxes regularly). No, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.
Maybe I'm missing something fundamental with Linux security, but it seems once I log in anything within the user space can run under my permissions, malware or not? Especially if it's malware hidden in a program/game that I intentionally started?
I've used Linux a very long time, but I'm self taught.... Security is one of those Linux areas that's always been complex for me to grasp in a meaningful way.
4 Likes, Who?
BlackBloodRum Oct 12, 2023
Quoting: denyasisQuoting: Nateman1000Quoting: BlackBloodRumMany think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this diseaseQuoting: Purple Library GuyThat could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.You mean . . . they're running Windows?!
This is probably ignorance in my part, but how is security better with Linux in this situation? We're (mostly) running these programs wide open out of the home drive (maybe some ppl are using flatpack or snap, but even then that's not a default requirement on most distro and people still poke holes in those sandboxes regularly). No, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.
Maybe I'm missing something fundamental with Linux security, but it seems once I log in anything within the user space can run under my permissions, malware or not? Especially if it's malware hidden in a program/game that I intentionally started?
I've used Linux a very long time, but I'm self taught.... Security is one of those Linux areas that's always been complex for me to grasp in a meaningful way.
For a typical desktop system without additional protection whatsoever, the malware may work. But consider this, what is malware trying to do, and where is it looking?
It's almost certain it'll look for typical Windows locations, which would be those provided by Proton (Wine). In the case of a Steam game running via proton for example, that means if it will find steamapps/compatdata/(gameid)/pfx/drive_c/* by default. The good news is, unlike regular wine, proton doesn't link users/steamuser/Documents to your real documents location.
So it's possible the malware will simply do nothing of harm to a Linux machine.
However, that doesn't mean you can simply forget and dismiss it! It is possible the malware has been trained to handle Linux, in which case it will try to get access to your home directory. Worst case here is your home directory gets hosed, and data which your user has permission to modify is altered, which is fairly minor.
You can prevent this situation in a couple of ways, you could prevent that access to those files using AppArmor or SELinux, you could combine that with, or use only flatpak with a proper configuration by modifying the permissions to revoke "All User/System/anything Files". It simply doesn't need it, along with disabling access to xdg-music, xdg-pictures. Steam only needs to access the locations that it is instructed to download games to (Your library), so you can specify only that directory as read/write and block everything else. It shouldn't need other directories, but if it does and doesn't need to write to them, then set it to read-only.
This advice applies to basically all flatpak apps. Only give minimal permissions. For example with Bottles, you might download your GOG games to a home directory folder like ~/Games, well bottles doesn't need to write to those GOG installers. So it can be safely set to read-only for bottles.
Oh, and the big one: Keep things updated with the latest security patches.
These are simple security measures, but it should be more than enough to prevent windows-based malware from escaping its wine prefix.
It might not however, stop a specifically targeted to you attack. A key thing to remember, security isn't something you can just say "must be like this" for. Different environments have different threat models.
Know your threat model, and adjust your security as necessary.
2 Likes, Who?
Patreon
PayPal
See more from me