Valve has introduced implementing further safety measures for builders publishing video games on Steam, together with SMS-based affirmation codes. That is to take care of a current outbreak of malicious updates pushing malware from compromised writer accounts.
Steamworks is a set of instruments and companies builders and publishers of video games/software program use to distribute their merchandise on the Steam platform.
It helps DRM (digital rights administration), multiplayer, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving, and community-made content material sharing (Steam Workshop).
Beginning in late August and into September 2023, there was an elevated variety of stories about compromised Steamworks accounts and the attackers importing malicious builds that infect gamers with malware.
Valve assured the gaming group that the impression of those assaults was restricted to some hundred customers, who have been individually knowledgeable of the potential breach by way of notices despatched by the corporate.
To curb this downside, Valve will implement a brand new SMS-based safety examine beginning on October 24, 2023, which recreation builders should move earlier than pushing an replace on the default launch department (not beta releases).
The identical requirement will probably be enforced when somebody makes an attempt so as to add new customers to the Steamworks associate group, which is already protected by an email-based affirmation. Beginning October 24, the group admin should confirm the motion with an SMS code.
“As a part of a safety replace, any Steamworks account setting builds stay on the default/public department of a launched app might want to have a cellphone quantity related to their account in order that Steam can textual content you a affirmation code earlier than persevering with,” reads Valve’s announcement from earlier this week.
“The identical will probably be true for any Steamworks account that should add new customers. This modification will go stay on October 24, 2023, so make sure you add a cellphone quantity to your account now.”
“We additionally plan on including this requirement for different Steamworks actions sooner or later.”
For these utilizing the SetAppBuildLive API, Steam has up to date it to require a steamID for affirmation, significantly for adjustments to the default department of a launched app.
Utilizing ‘steamcmd’ to set builds stay is not relevant for managing the default department of launched apps.
Additionally, Valve says there will probably be no workaround for builders and not using a cellphone quantity, so they have to discover a solution to obtain textual content messages to proceed publishing on the platform.
Not an ideal answer
Whereas introducing SMS-based verification is an effective step in direction of reaching higher provide chain safety on Steam, the system is much from good.
One of many recreation builders, Benoît Freslon, defined that he was contaminated with an information-stealing malware that was used to steal his credentials.
Utilizing these stolen credentials, the risk actor briefly pushed out a malicious replace for the NanoWar: Cells VS Virus that contaminated gamers with malware.
Freslon defined on Twitter that Valve’s new SMS-based MFA safety measure would not have helped cease the assault because the info-stealer malware snatched session tokens to all his accounts.
In a separate submit on his web site, the sport developer defined that the assault occurred on Discord, with the risk actors tricking him into downloading and reviewing a Unity recreation named “Excessive Invaders.”
The sport installer dropped a password-stealing malware on his laptop, which focused his Discord, Steam, Twitch, Twitter, and different accounts.
Till the tokens have been revoked or expired, the attackers continued to entry the developer’s accounts, remaining free to push malware-laced recreation updates to gamers.
Additionally, SMS 2FA is inherently weak to SIM-swap assaults the place risk actors can port the variety of a recreation developer to a brand new SIM and bypass the safety measure.
A greater and extra fashionable answer can be to implement authenticator apps or bodily safety keys, particularly for initiatives with massive communities.