Steam uses insecure, out-of-date Chromium browser - gHacks Tech News

Steam uses insecure, out-of-date Chromium browser

Valve has integrated a custom version of the Chromium web browser in its Steam client that displays web content to Steam users.

If the past couple of weeks have shown anything, it is that custom Chromium or Chrome versions are a security risk more often than not.

Google analyzed third-party implementations of its Chromium browser recently, and came to the conclusion that they made user systems less secure despite claiming the opposite.

The main reason for this was that companies disabled security features of the Chromium browser, or circumvented them.

Valve's Steam client uses a custom version of Chromium as well, and it turns out that this version is also insecure.

Chromium Embedded Framework (CEF) is an extension of the Chromium browser rendering engine, an open-source project which is a component of Google Chrome.

The Steam client on Windows and OS X uses a customized version of CEF to render web content.

A user reported his findings on the official Valve Software Github repository, stating that the built-in version of Chromium was outdated and running without sandbox.

The chromium browser on steam is based on version 47, a vulnerable and out of date version.

Chromium runs with --no-sandbox by default on steam.

The most recent version of Chromium is version 50 currently, which means that the chromium browser used by Steam is out of date.

Google fixed several security issues in these newer versions of Chromium leaving the Steam version of the browser vulnerable to them.

steam vulnerable

The sandbox, enabled by default in Chromium, allows for the creation of sandboxed processes which run in restrictive environments. The sandbox protects the underlying system and data on it among other things from malicious processes.

Chrome users can use the parameter --no-sandbox to disable the sandbox in Chrome, but doing so removes its protective features and leaves the system wide open for attacks.

Both bugs have been recognized by Valve, and a user has been assigned to each of them. A target milestone is not listed yet though and there is no indication when the security issues will be fixed by Valve.

Steam users should consider using an external up-to-date web browser for the time being instead of the built-in Steam web browser until the issues are fixed by Valve.

Rob Joyce, chief of the NSA's Tailored Access Operations (TAO) mentioned recently that Steam is a popular attack vector.

steam games security threat

Summary
Steam uses insecure, out-of-date Chromium browser
Article Name
Steam uses insecure, out-of-date Chromium browser
Description
The Steam client uses an out-of-date, insecure version of the Chromium web browser currently to display web content.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Gary D said on February 8, 2016 at 6:24 pm
    Reply

    Martin, thanks for the link to enigma 2016 and Rob Joyce. It’s a very illuminating read.

    Reference Steam vulnerabilities, does Valve ever test its software ??

    1. Ashrak007 said on February 8, 2016 at 9:02 pm
      Reply

      Why should they..? They have monopoly power over PC gaming…

      1. Nebulus said on February 8, 2016 at 11:18 pm
        Reply

        No, they don’t. They are the major player in this field, but not the ONLY player.

    2. Joker said on February 8, 2016 at 9:34 pm
      Reply

      “does Valve ever test its software ??”

      Does testing sell more virtual hats/costumes/crates/whatever? Yes/No
      Does having proper customer-support sell more virtual hats/costumes/crates/whatever? Yes/No
      Does having up-to-date software sell more virtual hats/costumes/crates/whatever? Yes/No

      I think we know the answers with regard to Valve.

      1. Pants said on February 9, 2016 at 12:35 am
        Reply

        Every time Valve test their software, they gain +1 Experience .. true story

    3. jort93 said on June 14, 2016 at 11:19 pm
      Reply

      they do. theres a public beta available weeks ore sometimes months before release for every update.

  2. S2015 said on February 8, 2016 at 10:59 pm
    Reply

    to fix the hole, the one could try upgrading his or her Chromium client to the latest version of it manually. As for security, after all, Steam is e-distribution platform: you have to be careful when making a deal with other users on the site.

  3. Nebulus said on February 8, 2016 at 11:19 pm
    Reply

    Why would anyone use the browser from Steam for something else than browsing Steam site? That reduces that attack surface a lot, IMO…

    1. dwarf_t0ssn said on February 9, 2016 at 1:25 am
      Reply

      It’s useful for the odd in-game google search as well. FAQs, etc.

    2. Martin Brinkmann said on February 9, 2016 at 5:59 am
      Reply

      I never use it to access sites that are not part of Steam, but I know quite a few users who use it while in game to browse websites.

  4. Womble said on February 9, 2016 at 12:50 am
    Reply

    One can always rely on Steam to bring out the drama queens.

  5. The MAZZTer said on February 9, 2016 at 2:49 am
    Reply

    Hi, the latest STABLE Chromium is 48, not 50. I think you are looking at the trunk which is not intended for general widespread usage. The latest STABLE version of Chromium will always match the Stable Chrome version (which is 48).

    [Edit: Looks like according to https://cefbuilds.com/#branch_2526 the latest stable CEF is 47, which is lagging behind Chromium. Not Valve’s fault.]

  6. Cabron said on February 9, 2016 at 12:34 pm
    Reply

    So it’s insecure because it doesnt use the latest version released 5 days ago? xD

    1. Pants said on February 9, 2016 at 1:20 pm
      Reply

      Regardless of the version (I guess somewhere, someone made a mistake re v47 (probably the stable at the time) vs v50), it is running with the –no-sandbox argument. I have no idea why Valve would do that, maybe there’s a technical reason

  7. Ben said on February 9, 2016 at 10:36 pm
    Reply

    Never expected the browser inside steam as safe.
    Why should it be?

  8. 87g said on February 10, 2016 at 9:16 pm
    Reply

    This is actually worse than described, when you connect to game servers (Valve source games at least, which are the most popular and some free) they display a web page, also called MOTD (message of the day). Server admin’s (which can be absolutely anyone) can send you to any web page of their choosing, such as their own home made exploit page. So if you start winning vs an admin, there’s nothing stopping them giving you a virus. Great. Cryptolocker, keylogger or VAC banned cheat anyone…?

  9. psiclone said on February 11, 2016 at 5:06 pm
    Reply

    It’s a popular attack vector, because Steam doesn’t give a crap about it’s users at all. It’s extremely evident in the lack of responses to users in their forums to address real issues like this.

  10. steamedcake said on May 29, 2016 at 3:27 am
    Reply

    I know right? I’ve been VAC banned in the past because of their insecure browser. I tried technical support and they said it was my fault. Is it my fault they’re using an outdated browser? Is it my fault that their technical support is crap? HELL NO! IT’S THEIR FAULT FOR NOT TAKING PRECAUTIONS SO THEIR USERS ARE PROTECTED!

Leave a Reply