Valve has introduced implementing further safety measures for builders publishing video games on Steam, together with SMS-based affirmation codes. That is to cope with a latest outbreak of malicious updates pushing malware from compromised writer accounts.
Steamworks is a set of instruments and providers builders and publishers of video games/software program use to distribute their merchandise on the Steam platform.
It helps DRM (digital rights administration), multiplayer, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving, and community-made content material sharing (Steam Workshop).
Beginning in late August and into September 2023, there was an elevated variety of experiences about compromised Steamworks accounts and the attackers importing malicious builds that infect gamers with malware.
Valve assured the gaming neighborhood that the influence of those assaults was restricted to some hundred customers, who have been individually knowledgeable of the potential breach through notices despatched by the corporate.
To curb this downside, Valve will implement a brand new SMS-based safety test beginning on October 24, 2023, which sport builders should cross earlier than pushing an replace on the default launch department (not beta releases).
The identical requirement shall be enforced when somebody makes an attempt so as to add new customers to the Steamworks associate group, which is already protected by an email-based affirmation. Beginning October 24, the group admin should confirm the motion with an SMS code.
“As a part of a safety replace, any Steamworks account setting builds stay on the default/public department of a launched app might want to have a cellphone quantity related to their account in order that Steam can textual content you a affirmation code earlier than persevering with,” reads Valve’s announcement from earlier this week.
“The identical shall be true for any Steamworks account that should add new customers. This alteration will go stay on October 24, 2023, so you should definitely add a cellphone quantity to your account now.”
“We additionally plan on including this requirement for different Steamworks actions sooner or later.”
For these utilizing the SetAppBuildLive API, Steam has up to date it to require a steamID for affirmation, significantly for adjustments to the default department of a launched app.
Utilizing ‘steamcmd’ to set builds stay is not relevant for managing the default department of launched apps.
Additionally, Valve says there shall be no workaround for builders and not using a cellphone quantity, so they have to discover a strategy to obtain textual content messages to proceed publishing on the platform.
Not an ideal resolution
Whereas introducing SMS-based verification is an effective step in direction of reaching higher provide chain safety on Steam, the system is way from excellent.
One of many sport builders, Benoît Freslon, defined that he was contaminated with an information-stealing malware that was used to steal his credentials.
Utilizing these stolen credentials, the menace actor briefly pushed out a malicious replace for the NanoWar: Cells VS Virus that contaminated gamers with malware.
Freslon defined on Twitter that Valve’s new SMS-based MFA safety measure would not have helped cease the assault because the info-stealer malware snatched session tokens to all his accounts.
In a separate post on his website, the sport developer defined that the assault occurred on Discord, with the menace actors tricking him into downloading and reviewing a Unity sport named “Excessive Invaders.”
The sport installer dropped a password-stealing malware on his laptop, which focused his Discord, Steam, Twitch, Twitter, and different accounts.
Till the tokens have been revoked or expired, the attackers continued to entry the developer’s accounts, remaining free to push malware-laced sport updates to gamers.
Additionally, SMS 2FA is inherently weak to SIM-swap assaults the place menace actors can port the variety of a sport developer to a brand new SIM and bypass the safety measure.
A greater and extra trendy resolution could be to implement authenticator apps or bodily safety keys, particularly for initiatives with massive communities.