Valve has introduced implementing further safety measures for builders publishing video games on Steam, together with SMS-based affirmation codes. That is to take care of a current outbreak of malicious updates pushing malware from compromised writer accounts.
Steamworks is a set of instruments and companies builders and publishers of video games/software program use to distribute their merchandise on the Steam platform.
It helps DRM (digital rights administration), multiplayer, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving, and community-made content material sharing (Steam Workshop).
Beginning in late August and into September 2023, there was an elevated variety of stories about compromised Steamworks accounts and the attackers importing malicious builds that infect gamers with malware.
Valve assured the gaming neighborhood that the affect of those assaults was restricted to some hundred customers, who have been individually knowledgeable of the potential breach through notices despatched by the corporate.
To curb this downside, Valve will implement a brand new SMS-based safety verify beginning on October 24, 2023, which sport builders should move earlier than pushing an replace on the default launch department (not beta releases).
The identical requirement will likely be enforced when somebody makes an attempt so as to add new customers to the Steamworks associate group, which is already protected by an email-based affirmation. Beginning October 24, the group admin should confirm the motion with an SMS code.
“As a part of a safety replace, any Steamworks account setting builds reside on the default/public department of a launched app might want to have a telephone quantity related to their account in order that Steam can textual content you a affirmation code earlier than persevering with,” reads Valve’s announcement from earlier this week.
“The identical will likely be true for any Steamworks account that should add new customers. This modification will go reside on October 24, 2023, so you’ll want to add a telephone quantity to your account now.”
“We additionally plan on including this requirement for different Steamworks actions sooner or later.”
For these utilizing the SetAppBuildLive API, Steam has up to date it to require a steamID for affirmation, notably for adjustments to the default department of a launched app.
Utilizing ‘steamcmd’ to set builds reside is now not relevant for managing the default department of launched apps.
Additionally, Valve says there will likely be no workaround for builders and not using a telephone quantity, so they need to discover a technique to obtain textual content messages to proceed publishing on the platform.
Not an ideal resolution
Whereas introducing SMS-based verification is an efficient step in the direction of reaching higher provide chain safety on Steam, the system is much from good.
One of many sport builders, Benoît Freslon, defined that he was contaminated with an information-stealing malware that was used to steal his credentials.
Utilizing these stolen credentials, the risk actor briefly pushed out a malicious replace for the NanoWar: Cells VS Virus that contaminated gamers with malware.
Freslon defined on Twitter that Valve’s new SMS-based MFA safety measure would not have helped cease the assault because the info-stealer malware snatched session tokens to all his accounts.
In a separate publish on his web site, the sport developer defined that the assault occurred on Discord, with the risk actors tricking him into downloading and reviewing a Unity sport named “Excessive Invaders.”
The sport installer dropped a password-stealing malware on his pc, which focused his Discord, Steam, Twitch, Twitter, and different accounts.
Till the tokens have been revoked or expired, the attackers continued to entry the developer’s accounts, remaining free to push malware-laced sport updates to gamers.
Additionally, SMS 2FA is inherently susceptible to SIM-swap assaults the place risk actors can port the variety of a sport developer to a brand new SIM and bypass the safety measure.
A greater and extra fashionable resolution can be to implement authenticator apps or bodily safety keys, particularly for tasks with massive communities.
