Hands Up - This is a PC-jacking! The Wonders of Steam Browser Protocol Vulnerability.
For our readers who are unaware of the wonder that is 'Steam', here's a small description of how it influences our life. Steam is a digital distribution and digital rights management platform for games and various other softwares and can run on Windows, MacOS X and Linux. The company, Valve Corporation, that owns it says that Steam offers over 2,000 titles and has more than 40 million active user accounts.
When a user clicks on a steam:// URL in a program, the URL is passed to Steam client for execution which means that it registers itself as a steam:// URL protocol handler when it is installed on a system. This Steam:// URL consists of steam protocol commands which enable the system to install/uninstall, update and backup files amongst many other supported actions.
It sounds simple enough until attackers start exploiting these commands or vulnerabilities to remotely control your PC.
Security Researchers and Founders at ReVuln, Luigi Auriemma and Donato Ferrante, state in their report that attackers can exploit vulnerabilities in the Steam client or the games installed through the program resulting from the way browsers and other applications automatically divert steam:// protocol URLs to the Steam client without asking for confirmation or permission from the user.
Different browsers tend to respond differently to the steam:// URL. Internet Explorer 9, Google Chrome and Opera flash warnings to the user along with the full or partial steam:// URLs before the transferring them to the Steam client for execution. Firefox requests user confirmation only. And in this competition, Safari comes out as the weakest of the lot, by automatically executing steam:// URLs without asking for permissions from the user (feeling a bit rebellious, are we?)
“Mac OS is the secondary platform used on Steam and many games are available for this platform so it has a wide user base,” Auriemma said. Hence, proving that Mac OS is more prone to such attacks.
The Geniuses of ReVuln state:
“All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls,” the researchers said. “Additionally for browsers like Internet Explorer and Opera it’s still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself.”