Steam browser security loophole spotted

A report from hardware and software security firm Revuln has been posted online, highlighting a security flaw that could allow attackers to target PCs using Steam browser launch commands. The steam:// URL is a quick way to install and launch games from a browser. Revuln point out that Safari can launch steam:// commands silently without the user knowing, providing a window of opportunity for attackers.

The report highlights ways in which local processes that exist on our PCs as part of game installations could be misused to cause mischief. Revuln highlight different attack strategies using Source and Unreal engine games. The good news is that major browsers like Internet Explorer, Firefox and Chrome, give warning before programs are launched. Valve will surely be right on this, if they haven't found a fix already. Until then it might be wise to avoid Safari and, as always, say no to any unexpected program launches.

Tom Senior

Part of the UK team, Tom was with PC Gamer at the very beginning of the website's launch—first as a news writer, and then as online editor until his departure in 2020. His specialties are strategy games, action RPGs, hack ‘n slash games, digital card games… basically anything that he can fit on a hard drive. His final boss form is Deckard Cain.