Steam uses insecure, out-of-date Chromium browser

Martin Brinkmann
Feb 8, 2016

Valve has integrated a custom version of the Chromium web browser in its Steam client that displays web content to Steam users.

If the past couple of weeks have shown anything, it is that custom Chromium or Chrome versions are a security risk more often than not.

Google analyzed third-party implementations of its Chromium browser recently, and came to the conclusion that they made user systems less secure despite claiming the opposite.

The main reason for this was that companies disabled security features of the Chromium browser, or circumvented them.

Valve's Steam client uses a custom version of Chromium as well, and it turns out that this version is also insecure.

Chromium Embedded Framework (CEF) is an extension of the Chromium browser rendering engine, an open-source project which is a component of Google Chrome.

The Steam client on Windows and OS X uses a customized version of CEF to render web content.

A user reported his findings on the official Valve Software Github repository, stating that the built-in version of Chromium was outdated and running without sandbox.

The chromium browser on steam is based on version 47, a vulnerable and out of date version.

Chromium runs with --no-sandbox by default on steam.

The most recent version of Chromium is version 50 currently, which means that the chromium browser used by Steam is out of date.

Google fixed several security issues in these newer versions of Chromium leaving the Steam version of the browser vulnerable to them.

The sandbox, enabled by default in Chromium, allows for the creation of sandboxed processes which run in restrictive environments. The sandbox protects the underlying system and data on it among other things from malicious processes.

Chrome users can use the parameter --no-sandbox to disable the sandbox in Chrome, but doing so removes its protective features and leaves the system wide open for attacks.

Both bugs have been recognized by Valve, and a user has been assigned to each of them. A target milestone is not listed yet though and there is no indication when the security issues will be fixed by Valve.

Steam users should consider using an external up-to-date web browser for the time being instead of the built-in Steam web browser until the issues are fixed by Valve.

Rob Joyce, chief of the NSA's Tailored Access Operations (TAO) mentioned recently that Steam is a popular attack vector.

Steam uses insecure, out-of-date Chromium browser
Article Name
Steam uses insecure, out-of-date Chromium browser
The Steam client uses an out-of-date, insecure version of the Chromium web browser currently to display web content.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. steamedcake said on May 29, 2016 at 3:27 am

    I know right? I’ve been VAC banned in the past because of their insecure browser. I tried technical support and they said it was my fault. Is it my fault they’re using an outdated browser? Is it my fault that their technical support is crap? HELL NO! IT’S THEIR FAULT FOR NOT TAKING PRECAUTIONS SO THEIR USERS ARE PROTECTED!

  2. psiclone said on February 11, 2016 at 5:06 pm

    It’s a popular attack vector, because Steam doesn’t give a crap about it’s users at all. It’s extremely evident in the lack of responses to users in their forums to address real issues like this.

  3. 87g said on February 10, 2016 at 9:16 pm

    This is actually worse than described, when you connect to game servers (Valve source games at least, which are the most popular and some free) they display a web page, also called MOTD (message of the day). Server admin’s (which can be absolutely anyone) can send you to any web page of their choosing, such as their own home made exploit page. So if you start winning vs an admin, there’s nothing stopping them giving you a virus. Great. Cryptolocker, keylogger or VAC banned cheat anyone…?

  4. Ben said on February 9, 2016 at 10:36 pm

    Never expected the browser inside steam as safe.
    Why should it be?

  5. Cabron said on February 9, 2016 at 12:34 pm

    So it’s insecure because it doesnt use the latest version released 5 days ago? xD

    1. Pants said on February 9, 2016 at 1:20 pm

      Regardless of the version (I guess somewhere, someone made a mistake re v47 (probably the stable at the time) vs v50), it is running with the –no-sandbox argument. I have no idea why Valve would do that, maybe there’s a technical reason

  6. The MAZZTer said on February 9, 2016 at 2:49 am

    Hi, the latest STABLE Chromium is 48, not 50. I think you are looking at the trunk which is not intended for general widespread usage. The latest STABLE version of Chromium will always match the Stable Chrome version (which is 48).

    [Edit: Looks like according to the latest stable CEF is 47, which is lagging behind Chromium. Not Valve’s fault.]

  7. Womble said on February 9, 2016 at 12:50 am

    One can always rely on Steam to bring out the drama queens.

  8. Nebulus said on February 8, 2016 at 11:19 pm

    Why would anyone use the browser from Steam for something else than browsing Steam site? That reduces that attack surface a lot, IMO…

    1. Martin Brinkmann said on February 9, 2016 at 5:59 am

      I never use it to access sites that are not part of Steam, but I know quite a few users who use it while in game to browse websites.

    2. dwarf_t0ssn said on February 9, 2016 at 1:25 am

      It’s useful for the odd in-game google search as well. FAQs, etc.

  9. S2015 said on February 8, 2016 at 10:59 pm

    to fix the hole, the one could try upgrading his or her Chromium client to the latest version of it manually. As for security, after all, Steam is e-distribution platform: you have to be careful when making a deal with other users on the site.

  10. Gary D said on February 8, 2016 at 6:24 pm

    Martin, thanks for the link to enigma 2016 and Rob Joyce. It’s a very illuminating read.

    Reference Steam vulnerabilities, does Valve ever test its software ??

    1. jort93 said on June 14, 2016 at 11:19 pm

      they do. theres a public beta available weeks ore sometimes months before release for every update.

    2. Joker said on February 8, 2016 at 9:34 pm

      “does Valve ever test its software ??”

      Does testing sell more virtual hats/costumes/crates/whatever? Yes/No
      Does having proper customer-support sell more virtual hats/costumes/crates/whatever? Yes/No
      Does having up-to-date software sell more virtual hats/costumes/crates/whatever? Yes/No

      I think we know the answers with regard to Valve.

      1. Pants said on February 9, 2016 at 12:35 am

        Every time Valve test their software, they gain +1 Experience .. true story

    3. Ashrak007 said on February 8, 2016 at 9:02 pm

      Why should they..? They have monopoly power over PC gaming…

      1. Nebulus said on February 8, 2016 at 11:18 pm

        No, they don’t. They are the major player in this field, but not the ONLY player.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.