Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Steam curbs malicious updates from compromised developer accounts

Video game marketplace Steam is implementing additional security measures to combat the growing number of malware-ridden updates from infected publisher accounts.

user icon Daniel Croft
Mon, 16 Oct 2023
Steam curbs malicious updates from compromised developer accounts
expand image

In late August and September 2023, there was an increased number of reports of compromised Steamworks accounts publishing updates designed to infect unaware players with malware.

Steamworks is Steam’s development suite, containing a number of tools for developers and publishers, with support for digital rights management, video streaming, achievements, multiplayer, voice chat, matchmaking, community-made content, statistics and more.

Valve has said that the cases of compromised Steamworks accounts infecting unaware gamers were limited to a few hundred, who had been informed individually. Despite this, Valve has introduced SMS-based security checks for developers looking to launch updates.

============
============

The measure, which will be introduced on 24 October, will require developers to verify any published updates before they go live via SMS, something they are already required to do via email.

“As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing,” said Valve in an announcement post.

“The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now.

“We also plan on adding this requirement for other Steamworks actions in the future.”

The new measure is limited to updates released under the default branch, and thus, beta updates will not require verification.

In addition, developers using the SetAppBuildLive API will have to verify using steamID, with a verification request being sent to the Steam Mobile app.

The downside of the new measures is that developers without a phone number will not be provided with any way of sending updates, with no workaround or alternative verification available.

The other issue is that while the measures do combat the release of malware via compromised accounts, it isn’t foolproof.

As first reported by BleepingComputer, some game developers, such as Benoît Freslon, have had their accounts infected by info-stealing malware, meaning that the new authentication process would not prevent malware from going out.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.