Valve has introduced enhanced security measures for developers who publish games on Steam, which now include SMS-based confirmation codes. This move comes in response to a recent surge in malicious updates being disseminated via compromised publisher accounts, resulting in the distribution of malware.
The Game Publish:
Steamworks, a comprehensive suite of tools and services used by game and software developers and publishers to distribute their products on the Steam platform, encompasses features such as DRM, multiplayer, video streaming, achievements, voice and chat, microtransactions, and more.
The Issues arise:
During late August and September of 2023, numerous reports surfaced regarding compromised Steamworks accounts, with attackers uploading harmful builds that infected players' systems with malware. Valve assured the gaming community that the impact of these attacks was limited to a small number of users, each of whom was individually notified of the potential breach.
SMS Based Solution:
To address this issue, Valve is introducing a new SMS-based security verification process commencing on October 24, 2023. Game developers will be required to pass this verification before pushing an update on the default release branch, excluding beta releases. The same requirement will be enforced when adding new users to the Steamworks partner group, a process already protected by email-based confirmation. Beginning on October 24, group administrators will need to verify the action using an SMS code.
Valve's announcement states, "As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing."
The same requirement will be applied to other Steamworks actions in the future. Developers using the SetAppBuildLive API will now require a steamID for confirmation, particularly for changes to the default branch of a released app. Managing the default branch of released apps using 'steamcmd' is no longer applicable.
Valve has stated that there will be no workaround for developers without a phone number, mandating that they find a method to receive text messages to continue publishing on the platform.
While implementing SMS-based verification is a positive step for enhancing supply chain security on Steam, the system is not without flaws. One developer, Benoît Freslon, fell victim to information-stealing malware, which stole his credentials. These stolen credentials were briefly used to push out a malicious update for "NanoWar: Cells VS Virus," infecting players with malware. Freslon explained that Valve's new SMS-based MFA security measure would not have thwarted the attack, as the info-stealer malware had already acquired session tokens for all his accounts.
The Attack happens:
The attack on Freslon occurred via Discord, with threat actors tricking him into downloading and reviewing a Unity game called "Extreme Invaders." The game installer introduced password-stealing malware on his computer, targeting his Discord, Steam, Twitch, Twitter, and other accounts. Until the tokens were revoked or expired, the attackers retained access to the developer's accounts, enabling them to distribute malware-infested game updates.
Conclusion:
Additionally, SMS 2FA is susceptible to SIM-swap attacks, where threat actors can transfer a game developer's number to a new SIM card and bypass the security measure. A more robust and contemporary solution would involve implementing authenticator apps or physical security keys, especially for projects with large user bases.
If you want to donate to me 
No comments:
Post a Comment