Share this article on:
Video game marketplace Steam is implementing additional security measures to combat the growing number of malware-ridden updates from infected publisher accounts.
In late August and September 2023, there was an increased number of reports of compromised Steamworks accounts publishing updates designed to infect unaware players with malware.
Steamworks is Steam’s development suite, containing a number of tools for developers and publishers, with support for digital rights management, video streaming, achievements, multiplayer, voice chat, matchmaking, community-made content, statistics and more.
Valve has said that the cases of compromised Steamworks accounts infecting unaware gamers were limited to a few hundred, who had been informed individually. Despite this, Valve has introduced SMS-based security checks for developers looking to launch updates.
The measure, which will be introduced on 24 October, will require developers to verify any published updates before they go live via SMS, something they are already required to do via email.
“As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing,” said Valve in an announcement post.
“The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now.
“We also plan on adding this requirement for other Steamworks actions in the future.”
The new measure is limited to updates released under the default branch, and thus, beta updates will not require verification.
In addition, developers using the SetAppBuildLive API will have to verify using steamID, with a verification request being sent to the Steam Mobile app.
The downside of the new measures is that developers without a phone number will not be provided with any way of sending updates, with no workaround or alternative verification available.
The other issue is that while the measures do combat the release of malware via compromised accounts, it isn’t foolproof.
As first reported by BleepingComputer, some game developers, such as Benoît Freslon, have had their accounts infected by info-stealing malware, meaning that the new authentication process would not prevent malware from going out.
Hey Simon, I'm the developer of this game. ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA i s useless if the token is still active. I just used my dev account to release the game few hours before the hack I suppose.
— Benoît Freslon 👨💻 VideoGameCreation.fr (@BenoitFreslon) October 11, 2023