In a move to enhance security, Valve introduced additional precautions for developers who publish games on Steam, notably the inclusion of SMS-based confirmation codes. This decision follows a surge in malicious updates originating from hijacked publisher accounts.
Steamworks, the core behind the process, is a collection of tools and services that game and software developers leverage to release their products on the Steam platform. This suite encompasses features like digital rights management (DRM), multiplayer support, video streaming, matchmaking, achievement tracking, in-game voice and chat, microtransactions, data analytics, cloud storage, and the facilitation of community-generated content via Steam Workshop.
Throughout the latter part of August and into September 2023, a rise in reports concerning breached Steamworks accounts surfaced. These reports indicated that adversaries had uploaded harmful versions of games, putting players at risk of malware infections.
Valve, aiming to reassure the gaming community, clarified that these attacks impacted only a minor segment, affecting several hundred users. Those impacted were directly notified about the possible security incident through official communications from the company.
In response to these concerns, Valve announced an upcoming SMS-based security measure to be launched on October 24, 2023. This measure necessitates game developers to undergo a security verification via SMS before issuing an update to the primary release branch. This doesn’t affect beta releases. Additionally, this SMS verification will be mandatory for those intending to add new members to the Steamworks partner group, a system already shielded by email confirmations. From the aforementioned date, the group administrator will need to authenticate any action via an SMS confirmation code.
Summarizing their new stance, Valve indicated that soon, any Steamworks account pushing live builds on the primary/public branch of a launched application would require a linked phone number. This ensures Valve can send a confirmation code to the account holder. This adjustment is set for October 24, 2023, with the recommendation for users to attach their phone numbers ahead of this date. Valve also hinted at extending this security measure to other Steamworks operations in the subsequent periods.
For users of the SetAppBuildLive API, there’s a recent requirement for a steamID for approval, especially concerning alterations to the primary branch of a launched app. Utilizing ‘steamcmd’ for activating live builds is no longer relevant for handling this branch.
Valve also underscored the point that there will be no alternatives provided for developers lacking a phone number. Such developers are advised to ensure they have means to receive SMS messages to maintain their publishing privileges on Steam.
However, while the SMS verification approach marks progress in tightening Steam’s supply chain security, it’s not without flaws.
Game developer Benoît Freslon shared his experience where he became a victim of malware designed to extract personal information. This malware was responsible for siphoning his login details, which culminated in a brief malicious update for the game NanoWar: Cells VS Virus, exposing players to malware threats.
In his online communications, Freslon mentioned that this type of malware could bypass the SMS-based security Valve implemented because it captures session tokens across accounts. This malicious software infiltrated his system through a deceptive tactic on Discord, where he was lured into downloading a game called “Extreme Invaders.” This game was a front for malware that targeted a plethora of his accounts, including Discord, Steam, and Twitch, among others. As long as these session tokens remained active, attackers had free rein to release malicious game updates.
Moreover, SMS-based 2FA has inherent vulnerabilities, like susceptibility to SIM-swap schemes. In these, adversaries can transfer a developer’s phone number to another SIM, rendering the security protocol ineffective. A more robust approach might involve mandating the use of authenticator applications or tangible security keys, particularly for extensive community projects.