We do often include affiliate links to earn us some pennies. See more here.

Valve announced recently some new changes for developers publishing public builds to their games on Steam, requiring a phone number and a text message confirmation code.

As the announcement says "As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing". The change is due to go live on October 24th and for developers who don't have a phone Valve simply say "Sorry, but you’ll need a phone or some way to get text messages if you need to add users or set the default branch for a released app". It will also be needed for adding new users, and Valve plan to add this requirement to "other Steamworks actions in the future".

Valve didn't mention why, but it didn't take long for the reason to make its way online. It turns some developer accounts were compromised, and used to spread malware on Steam. As noted by Simon Carless on X, showing a screenshot a developer received:


Screenshot via Simon Carless, SteamDB

In reply to the X post, developer Benoît Freslon said "Hey Simon, I'm the developer of this game. ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA i s useless if the token is still active. I just used my dev account to release the game few hours before the hack I suppose."

Valve confirmed to PC Gamer the issue affected less than 100 Steam accounts with the games installed.

Article taken from GamingOnLinux.com.
Tags: Game Dev, Misc, Steam
12 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
The comments on this article are closed.
18 comments
Page: 1/2»
  Go to:

Nateman1000 Oct 12, 2023
I mean they gotta do what the gotta do
BlackBloodRum Oct 12, 2023
View PC info
  • Supporter Plus
Why is the game blurred? This developer should put their hands up and admit they failed basic computer security. They compromised their customers safety, so realistically it should be public knowledge (else, a customer could be infected by their infected game and not even know it!). Even if that may only be "less than 100 Steam Accounts". I doubt this is the first incident.

They should absolutely be public about this.


Last edited by BlackBloodRum on 12 October 2023 at 3:01 pm UTC
Purple Library Guy Oct 12, 2023
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
BlackBloodRum Oct 12, 2023
View PC info
  • Supporter Plus
Quoting: Purple Library Guy
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
That could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.
Ehvis Oct 12, 2023
View PC info
  • Supporter Plus
I find it kind of weird that we've had to provide a login every time we have to pay, but that devs could just change public facing builds without any form of extra explicit authentication. Sounds like something that should have been done a long time ago.
Nateman1000 Oct 12, 2023
Quoting: BlackBloodRum
Quoting: Purple Library Guy
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
That could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.
Many think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this disease
Liam Dawe Oct 12, 2023
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security. They compromised their customers safety, so realistically it should be public knowledge (else, a customer could be infected by their infected game and not even know it!). Even if that may only be "less than 100 Steam Accounts". I doubt this is the first incident.

They should absolutely be public about this.
The developer only seems to have posted about it on their Steam forum but not in any announcement.
Kimyrielle Oct 12, 2023
I wonder why Steam can't just support hardware tokens, like everyone else. I hate using phones as security tokens because they become a single point of failure (and also because I don't trust big business not to lose/abuse my phone number). :S
denyasis Oct 12, 2023
Quoting: Nateman1000
Quoting: BlackBloodRum
Quoting: Purple Library Guy
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
That could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.
Many think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this disease

This is probably ignorance in my part, but how is security better with Linux in this situation? We're (mostly) running these programs wide open out of the home drive (maybe some ppl are using flatpack or snap, but even then that's not a default requirement on most distro and people still poke holes in those sandboxes regularly). No, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.

Maybe I'm missing something fundamental with Linux security, but it seems once I log in anything within the user space can run under my permissions, malware or not? Especially if it's malware hidden in a program/game that I intentionally started?

I've used Linux a very long time, but I'm self taught.... Security is one of those Linux areas that's always been complex for me to grasp in a meaningful way.
BlackBloodRum Oct 12, 2023
View PC info
  • Supporter Plus
Quoting: denyasis
Quoting: Nateman1000
Quoting: BlackBloodRum
Quoting: Purple Library Guy
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
That could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.
Many think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this disease

This is probably ignorance in my part, but how is security better with Linux in this situation? We're (mostly) running these programs wide open out of the home drive (maybe some ppl are using flatpack or snap, but even then that's not a default requirement on most distro and people still poke holes in those sandboxes regularly). No, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.

Maybe I'm missing something fundamental with Linux security, but it seems once I log in anything within the user space can run under my permissions, malware or not? Especially if it's malware hidden in a program/game that I intentionally started?

I've used Linux a very long time, but I'm self taught.... Security is one of those Linux areas that's always been complex for me to grasp in a meaningful way.

For a typical desktop system without additional protection whatsoever, the malware may work. But consider this, what is malware trying to do, and where is it looking?

It's almost certain it'll look for typical Windows locations, which would be those provided by Proton (Wine). In the case of a Steam game running via proton for example, that means if it will find steamapps/compatdata/(gameid)/pfx/drive_c/* by default. The good news is, unlike regular wine, proton doesn't link users/steamuser/Documents to your real documents location.

So it's possible the malware will simply do nothing of harm to a Linux machine.

However, that doesn't mean you can simply forget and dismiss it! It is possible the malware has been trained to handle Linux, in which case it will try to get access to your home directory. Worst case here is your home directory gets hosed, and data which your user has permission to modify is altered, which is fairly minor.

You can prevent this situation in a couple of ways, you could prevent that access to those files using AppArmor or SELinux, you could combine that with, or use only flatpak with a proper configuration by modifying the permissions to revoke "All User/System/anything Files". It simply doesn't need it, along with disabling access to xdg-music, xdg-pictures. Steam only needs to access the locations that it is instructed to download games to (Your library), so you can specify only that directory as read/write and block everything else. It shouldn't need other directories, but if it does and doesn't need to write to them, then set it to read-only.

This advice applies to basically all flatpak apps. Only give minimal permissions. For example with Bottles, you might download your GOG games to a home directory folder like ~/Games, well bottles doesn't need to write to those GOG installers. So it can be safely set to read-only for bottles.

Oh, and the big one: Keep things updated with the latest security patches.

These are simple security measures, but it should be more than enough to prevent windows-based malware from escaping its wine prefix.

It might not however, stop a specifically targeted to you attack. A key thing to remember, security isn't something you can just say "must be like this" for. Different environments have different threat models.

Know your threat model, and adjust your security as necessary.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.