Valve has introduced implementing extra safety measures for builders publishing video games on Steam, together with SMS-based affirmation codes. This is to take care of a current outbreak of malicious updates pushing malware from compromised writer accounts.
Steamworks is a set of instruments and companies builders and publishers of video games/software program use to distribute their merchandise on the Steam platform.
It helps DRM (digital rights administration), multiplayer, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving, and community-made content material sharing (Steam Workshop).
Starting in late August and into September 2023, there was an elevated variety of stories about compromised Steamworks accounts and the attackers importing malicious builds that infect gamers with malware.
Valve assured the gaming neighborhood that the affect of those assaults was restricted to some hundred customers, who have been individually knowledgeable of the potential breach by way of notices despatched by the corporate.
To curb this drawback, Valve will implement a brand new SMS-based safety verify beginning on October 24, 2023, which sport builders should cross earlier than pushing an replace on the default launch department (not beta releases).
The identical requirement will probably be enforced when somebody makes an attempt so as to add new customers to the Steamworks associate group, which is already protected by an email-based affirmation. Starting October 24, the group admin should confirm the motion with an SMS code.
“As a part of a safety replace, any Steamworks account setting builds stay on the default/public department of a launched app might want to have a telephone quantity related to their account in order that Steam can textual content you a affirmation code earlier than persevering with,” reads Valve’s announcement from earlier this week.
“The identical will probably be true for any Steamworks account that should add new customers. This change will go stay on October 24, 2023, so make sure you add a telephone quantity to your account now.”
“We additionally plan on including this requirement for different Steamworks actions sooner or later.”
For these utilizing the SetAppBuildLive API, Steam has up to date it to require a steamID for affirmation, notably for modifications to the default department of a launched app.
Using ‘steamcmd’ to set builds stay is now not relevant for managing the default department of launched apps.
Also, Valve says there will probably be no workaround for builders and not using a telephone quantity, so they need to discover a strategy to obtain textual content messages to proceed publishing on the platform.
Not an ideal resolution
While introducing SMS-based verification is an effective step in direction of reaching higher provide chain safety on Steam, the system is much from excellent.
One of the sport builders, Benoît Freslon, defined that he was contaminated with an information-stealing malware that was used to steal his credentials.
Using these stolen credentials, the risk actor briefly pushed out a malicious replace for the NanoWar: Cells VS Virus that contaminated gamers with malware.
Freslon defined on Twitter that Valve’s new SMS-based MFA safety measure would not have helped cease the assault because the info-stealer malware snatched session tokens to all his accounts.
In a separate submit on his web site, the sport developer defined that the assault occurred on Discord, with the risk actors tricking him into downloading and reviewing a Unity sport named “Extreme Invaders.”
The sport installer dropped a password-stealing malware on his laptop, which focused his Discord, Steam, Twitch, Twitter, and different accounts.
Until the tokens have been revoked or expired, the attackers continued to entry the developer’s accounts, remaining free to push malware-laced sport updates to gamers.
Also, SMS 2FA is inherently weak to SIM-swap assaults the place risk actors can port the variety of a sport developer to a brand new SIM and bypass the safety measure.
A greater and extra fashionable resolution could be to implement authenticator apps or bodily safety keys, particularly for tasks with giant communities.