This is my first blog, but I felt like this is something I needed to get off my chest after months. If people enjoy this blog post, I will probably do more in the future.
The saga begins
This whole saga begins on May 23rd 2019. After viewing the requests from my iPhone using a reverse proxy (I can't remember why I did this, but I did nonetheless), I noticed a lot of HTTP requests coming from the Steam mobile app. Out of curiosity I created a simple DNS server to run locally and redirect requests from "store.steampowered.com" to a Python SimpleHTTPServer instance running on port 80. From here, I was able to redirect the user on the store page whilst they wouldn't notice:
This is pretty bad since it means that an attacker on the local area network can very easily manipulate the responses, especially on the store page. But it should be a pretty simple fix that should likely take a week tops. Nobody would ever leave a vulnerability like that for months, right?
The initial HackerOne response
Being very concerned about this obvious vulnerability, I went ahead and made a pretty detailed HackerOne request. It's important to note that this bug bounty program by Valve was HackerOne managed. This means that HackerOne process the bug bounty before Valve can even see it. I submitted a fairly detailed HackerOne ticket which should have been enough to set alarm bells ringing and get someone at Valve to see it:
Instead, I got the following response (after one saying they were reviewing my ticket, but this is clearly just an automated one, so skipping over that):
This clearly made no sense. I would have thought it would be obvious to anyone with basic knowledge of insecure protocols that you can easily perform a man in the middle attack, so I assumed it was a mistake. I replied with the following:
In all fairness, this HackerOne employee did give me the opportunity to explain how it could be exploited and did reopen it, so this could have been a mistake and not a systematic error. The response implied that they were unsure if Valve would close it, but I accept that this person may not understand some different attack vectors and called it a day:
At this point, I was just waiting for Valve to respond, that can't be long, right?
The silent treatment
After this response, the ticket just went silent for over a week. I was getting a bit concerned that nobody has actually seen this within Valve, so I decided to post a message asking for a status update on June 6th 2019:
After getting no response, I thought that there might be an off chance that they are not able to reproduce it as a MITM attack. I wrote a crappy few scripts to do this (I improve this script later on, but this is a botch to help them understand) and explained how it all worked:
From here, I was pretty frustrated at getting zero responses from anyone, I went ahead and shot Valve an email on both the 13th June 2019 and the 25th June 2019 at their security email:
Both of these emails received literally no response from Valve; almost as if their security email listed on their website is deprecated. I was very annoyed at this point. I attempted to get their attention on Twitter multiple times with no success. On July 11th, I received this email which was somewhat positive:
After seeing this, I decided to wait until the 11th August to see if they were actually going to standby responding. A month seemed reasonable after this email.
Hitting the brick wall again
Then it was the 30th August and I was pretty tired of this since it was way over a month. So I decided to tweet them saying I would release it if I didn't get a response. This worked!
I immediately got an email response. This is amazing, I've been waiting for something after that last response for a while!
I then followed up to this person because they felt (and I believe they were trying to do everything in their power so are) very genuine. By this point, I responded telling him I would wait off on releasing anything publicly. My attempts were only to get this patched, not to cause Valve issues after all.
Valve is typing...
From here, I received this response from HackerOne claiming there was a mixup in the process with Valve and that my bug report was a duplicate.
This honestly scares the crap out of me. This means 1 of 2 things:
- They're trying to get out of paying bug bounty money: I guess this is the more extreme perspective to take here, but considering the whole experience, a definitely possible one. I wasn't here for the bug bounty money, I have work by this point, but if there's some younger child trying to get into security research doing this, this could be enough to massively demotivate them if they were promised it from the HackerOne page.
- They had someone who posted the same bug either weeks or months in advance: This means that Valve left someone else hanging for an insanely long time. This is equally messed up.
I then receive this response duo on the HackerOne page on August 31st 2019:
This is interesting because the HackerOne staff member seems to be completely unaware about the risks of MITM attacks, but the Valve staff member rapidly replies to say that whilst it's a duplicate it's a valid issue. What does scare me about what the Valve staff member said is that they have not yet deployed a fix. For a simple MITM exploit that can be fixed by replacing "http://" with "https://", this is simply unacceptable.
In conclusion, despite the HackerOne staff member saying I'd get access to earlier reports, this never came to be and the report was just marked as a duplicate. I honestly have not been following this too much since I started a new difficult college year and contractual work, but it's been patched at the time of writing this post since I tested the exploit 0n the 4th March 2020.
Overall, the outcome of this situation in my opinion is that HackerOne should train staff to understand MITM attacks and should also ensure that there is good communication with the company they are managing. Poor communication only serves to annoy people who may have just found serious vulnerabilities like me.
Additionally, Valve's security email should be functional or not shown on their website. Not responding to a serious email to your security email address just shows a lack of concern which is extremely concerning.
I also need to add a huge thanks to Mohit Kumar from The Hacker News. He helped me validate my thoughts that this was not normal for a company. I'd never had to report a vulnerability before this, so I was very new to the process. If the vulnerability was still active, I would've gave you early notice that I was going to tweet this (although I never disclosed what the vulnerability actually was to him because of responsible disclosure) if it contained the vulnerability, but it was patched.