Valve has announced implementing additional security measures for developers publishing games on Steam, including SMS-based confirmation codes. This is to deal with a recent outbreak of malicious updates pushing malware from compromised publisher accounts.
Steamworks is a set of tools and services developers and publishers of games/software use to distribute their products on the Steam platform.
It supports DRM (digital rights management), multiplayer, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving, and community-made content sharing (Steam Workshop).
Starting in late August and into September 2023, there has been an elevated number of reports about compromised Steamworks accounts and the attackers uploading malicious builds that infect players with malware.
Valve assured the gaming community that the impact of these attacks was limited to a few hundred users, who were individually informed of the potential breach via notices sent by the company.
To curb this problem, Valve will enforce a new SMS-based security check starting on October 24, 2023, which game developers must pass before pushing an update on the default release branch (not beta releases).
The same requirement will be enforced when someone attempts to add new users to the Steamworks partner group, which is already protected by an email-based confirmation. Starting October 24, the group admin must verify the action with an SMS code.
"As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing," reads Valve's announcement from earlier this week.
"The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now."
"We also plan on adding this requirement for other Steamworks actions in the future."
For those using the SetAppBuildLive API, Steam has updated it to require a steamID for confirmation, particularly for changes to the default branch of a released app.
Using 'steamcmd' to set builds live is no longer applicable for managing the default branch of released apps.
Also, Valve says there will be no workaround for developers without a phone number, so they must find a way to receive text messages to continue publishing on the platform.
Not a perfect solution
While introducing SMS-based verification is a good step towards achieving better supply chain security on Steam, the system is far from perfect.
One of the game developers, Benoît Freslon, explained that he was infected with an information-stealing malware that was used to steal his credentials.
Using these stolen credentials, the threat actor briefly pushed out a malicious update for the NanoWar: Cells VS Virus that infected players with malware.
Freslon explained on Twitter that Valve's new SMS-based MFA security measure wouldn't have helped stop the attack as the info-stealer malware snatched session tokens to all his accounts.
In a separate post on his website, the game developer explained that the attack occurred on Discord, with the threat actors tricking him into downloading and reviewing a Unity game named "Extreme Invaders."
The game installer dropped a password-stealing malware on his computer, which targeted his Discord, Steam, Twitch, Twitter, and other accounts.
Until the tokens were revoked or expired, the attackers continued to access the developer's accounts, remaining free to push malware-laced game updates to players.
Also, SMS 2FA is inherently vulnerable to SIM-swap attacks where threat actors can port the number of a game developer to a new SIM and bypass the security measure.
A better and more modern solution would be to enforce authenticator apps or physical security keys, especially for projects with large communities.
Comments
fromFirefoxToVivaldi - 8 months ago
Steam should ban all executables, which have as much as a single positive on Virustotal. It should be on the devs to notify antivirus companies about any potential false positives.
EndangeredPootisBird - 8 months ago
The problem is that Virustotal does not represent all capabilities of antivirus software, it's purely static, signature, machine learning, sandbox and herustic detections, no behavioral detections.
Detections on Virustotal will also often be completely different to one's in a system due to the differences in aggressiveness. Some files will be flagged on Virustotal, while they may not be in a real life system, and vice versa.
GT500 - 8 months ago
That would probably be every game...
Seriously, VirusTotal is a collection of dozens of random security products, many of them are not from companies that make desktop AV solutions and thus wouldn't come in contact with games on any sort of regular basis. Some of them are also rather high in false positives in general. You can't just take what a VirusTotal scan report says at face value, and you can't force a developer to go through a whitelisting process with every AV provider on VirusTotal that's flagging their EXE before they are allowed to publish a critical update to resolve a serious bug or security issue in their game.
To be fair I take issue with Valve's SMS authentication as well. As far as I know SIM swapping is still a thing, and would allow account takeover in a targeted attack. Verification via SMS is (in my opinion) probably the least secure form of multifactor authentication, and should never be mandatory.
h_b_s - 8 months ago
One or two false positives are common on Virus Total. The vast majority of the scanner collection doesn't detect new malware for Windows very well either. None of them detect Linux or Mac malware pretty much at all, nor much script based (Python, unix shell, Powershell) malware for cross platform malware. Reputation based detection is pretty much a DOA thing as all but the big software companies are generally going to fail that kind of gate keeping while any updates pushed through compromised supply channels will automatically be passed.
This SMS thing though... that pretty much opens companies up to one of the easiest methods of account theft there is. If I were publishing houses, I'd tell Valve where to push its SMSs... and I don't mean to phones.