Steam browser security loophole spotted

A report from hardware and software security firm Revuln has been posted online, highlighting a security flaw that could allow attackers to target PCs using Steam browser launch commands. The steam:// URL is a quick way to install and launch games from a browser. Revuln point out that Safari can launch steam:// commands silently without the user knowing, providing a window of opportunity for attackers.

The report highlights ways in which local processes that exist on our PCs as part of game installations could be misused to cause mischief. Revuln highlight different attack strategies using Source and Unreal engine games. The good news is that major browsers like Internet Explorer, Firefox and Chrome, give warning before programs are launched. Valve will surely be right on this, if they haven't found a fix already. Until then it might be wise to avoid Safari and, as always, say no to any unexpected program launches.


Tom stopped being a productive human being when he realised that the beige box under his desk could play Alpha Centauri. After Deus Ex and Diablo 2 he realised he was cursed to play amazing PC games forever. He started writing about them for PC Gamer about six years ago, and is now UK web ed.
We recommend