Valve and HackerOne: A story in how not to handle vulnerability reports

This is my first blog, but I felt like this is something I needed to get off my chest after months. If people enjoy this blog post, I will probably do more in the future.

The saga begins

This whole saga begins on May 23rd 2019. After viewing the requests from my iPhone using a reverse proxy (I can't remember why I did this, but I did nonetheless), I noticed a lot of HTTP requests coming from the Steam mobile app. Out of curiosity I created a simple DNS server to run locally and redirect requests from "store.steampowered.com" to a Python SimpleHTTPServer instance running on port 80. From here, I was able to redirect the user on the store page whilst they wouldn't notice:

My (pretty borked at the time) website being redirected to from a fake store page on the Steam mobile app from my local network.

This is pretty bad since it means that an attacker on the local area network can very easily manipulate the responses, especially on the store page. But it should be a pretty simple fix that should likely take a week tops. Nobody would ever leave a vulnerability like that for months, right?

The initial HackerOne response

Being very concerned about this obvious vulnerability, I went ahead and made a pretty detailed HackerOne request. It's important to note that this bug bounty program by Valve was HackerOne managed. This means that HackerOne process the bug bounty before Valve can even see it. I submitted a fairly detailed HackerOne ticket which should have been enough to set alarm bells ringing and get someone at Valve to see it:

Instead, I got the following response (after one saying they were reviewing my ticket, but this is clearly just an automated one, so skipping over that):

HackerOne staff trying to say that you required physical access to the device to MITM HTTP/DNS.

This clearly made no sense. I would have thought it would be obvious to anyone with basic knowledge of insecure protocols that you can easily perform a man in the middle attack, so I assumed it was a mistake. I replied with the following:

In all fairness, this HackerOne employee did give me the opportunity to explain how it could be exploited and did reopen it, so this could have been a mistake and not a systematic error. The response implied that they were unsure if Valve would close it, but I accept that this person may not understand some different attack vectors and called it a day:

Me explaining to the HackerOne person how it could be exploited

At this point, I was just waiting for Valve to respond, that can't be long, right?

The silent treatment

After this response, the ticket just went silent for over a week. I was getting a bit concerned that nobody has actually seen this within Valve, so I decided to post a message asking for a status update on June 6th 2019:

After getting no response, I thought that there might be an off chance that they are not able to reproduce it as a MITM attack. I wrote a crappy few scripts to do this (I improve this script later on, but this is a botch to help them understand) and explained how it all worked:

Me explaining how to preform a MITM attack

From here, I was pretty frustrated at getting zero responses from anyone, I went ahead and shot Valve an email on both the 13th June 2019 and the 25th June 2019 at their security email:

My "21 day old HackerOne report with no response" email

My "1 month old HackerOne report with no response" email

Both of these emails received literally no response from Valve; almost as if their security email listed on their website is deprecated. I was very annoyed at this point. I attempted to get their attention on Twitter multiple times with no success. On July 11th, I received this email which was somewhat positive:

The response I received out of the blue.

After seeing this, I decided to wait until the 11th August to see if they were actually going to standby responding. A month seemed reasonable after this email.

Hitting the brick wall again

Then it was the 30th August and I was pretty tired of this since it was way over a month. So I decided to tweet them saying I would release it if I didn't get a response. This worked!

Hey @Hacker0x01 , I have an over 3-month-old exploit for Steam which I contacted them on your service about (and your support tried to expedite for me). I tried contacting your support about any mechanisms for publicly disclosing if a company doesn't respond in a reasonable 1/2
— Jake (@JakeBuildsStuff) August 30, 2019

The tweet sent to HackerOne.

I immediately got an email response. This is amazing, I've been waiting for something after that last response for a while!

I then followed up to this person because they felt (and I believe they were trying to do everything in their power so are) very genuine. By this point, I responded telling him I would wait off on releasing anything publicly. My attempts were only to get this patched, not to cause Valve issues after all.

Me thanking the person for their response.

Valve is typing...

From here, I received this response from HackerOne claiming there was a mixup in the process with Valve and that my bug report was a duplicate.

This honestly scares the crap out of me. This means 1 of 2 things:

They're trying to get out of paying bug bounty money: I guess this is the more extreme perspective to take here, but considering the whole experience, a definitely possible one. I wasn't here for the bug bounty money, I have work by this point, but if there's some younger child trying to get into security research doing this, this could be enough to massively demotivate them if they were promised it from the HackerOne page.
They had someone who posted the same bug either weeks or months in advance: This means that Valve left someone else hanging for an insanely long time. This is equally messed up.

I then receive this response duo on the HackerOne page on August 31st 2019:

Responses on HackerOne issue (top one HackerOne staff, bottom one Valve)

This is interesting because the HackerOne staff member seems to be completely unaware about the risks of MITM attacks, but the Valve staff member rapidly replies to say that whilst it's a duplicate it's a valid issue. What does scare me about what the Valve staff member said is that they have not yet deployed a fix. For a simple MITM exploit that can be fixed by replacing "http://" with "https://", this is simply unacceptable.

Conclusion

In conclusion, despite the HackerOne staff member saying I'd get access to earlier reports, this never came to be and the report was just marked as a duplicate. I honestly have not been following this too much since I started a new difficult college year and contractual work, but it's been patched at the time of writing this post since I tested the exploit 0n the 4th March 2020.

Overall, the outcome of this situation in my opinion is that HackerOne should train staff to understand MITM attacks and should also ensure that there is good communication with the company they are managing. Poor communication only serves to annoy people who may have just found serious vulnerabilities like me.

Additionally, Valve's security email should be functional or not shown on their website. Not responding to a serious email to your security email address just shows a lack of concern which is extremely concerning.

I also need to add a huge thanks to Mohit Kumar from The Hacker News. He helped me validate my thoughts that this was not normal for a company. I'd never had to report a vulnerability before this, so I was very new to the process. If the vulnerability was still active, I would've gave you early notice that I was going to tweet this (although I never disclosed what the vulnerability actually was to him because of responsible disclosure) if it contained the vulnerability, but it was patched.