About two weeks ago, Artem Moskowsky, a professional bughunter and pen tester, disclosed a bug in Steamworks, an important component of the Steam gaming platform. A few days after the disclosure, ZDNet provided additional visibility by interviewing Arlem. Steam had patched the bug prior to the announcement.
More specifically, Steamworks provides access to CD keys so that the Steam users can activate the games they have rented and downloaded. The bug resides in the API that provides the key to the Steam client (that end users install in their computers.) The API takes as inputs several variables that pinpoint the game such as game identifier, number of keys in the game, and what key in particular is being requested.
Prior to the correction of the Steam bug, the API took the number of keys that the user client sent as a true value, and under certain conditions, such as when setting the number of keys to zero, the API bypassed the game ownership validation process. As a result, the API provided valid keys to users that had not purchased or rented the games.
We can see several design flaws in this API: first, the API took information sent by a client as truth, and second, the API did not conduct a proper whitelist validation against the games that the user is rightfully allowed to activate.
In essence, this behavior is similar to another incident we covered in August, a parameter tampering bug in LifeLock, an identity theft protection service. Hdiv Protection would have prevented these two incidents automatically.
How Hdiv would have prevented the Steam bug
The protection offered by Hdiv is based on the full monitoring of the data exchange between client and server. This traffic analysis makes possible to maintain full control of the interaction, and it also enables automatic checks against malicious client-side request manipulations. In particular:
Hdiv Protection is able to maintain a whitelist of entities associated to each user. Subsequent requests are validated against this set of valid identifiers, and if not found, the request is blocked. In this case, as the Steam server communicates with the client to provide the list of valid games, Hdiv records and keep this list. Later on, when the Steam client attempts to retrieve a key for a game, Hdiv would check that the game id is in the stored list. All this happens automatically, with no learning processes, no mappings, and no source code modifications.
Even in the case that a request bypasses rightful ownership validation, a malicious client-side modification of identifiers would be blocked. In the Steam case, game identifiers are sent in clear text, so the client can start checking random, or sequential game IDs. Hdiv obfuscates the IDs so random IDs would not be successfully linked to actual games.
If you are curious about the Steam bug and this type of protection, drop us a note (daniel at hdivsecurity dot com) and we will be happy to review in detail.