Valve has announced implementing additional security measures for developers publishing games on Steam, including SMS-based confirmation codes. This is to deal with a recent outbreak of malicious updates pushing malware from compromised publisher accounts.
Steamworks is a set of tools and services developers and publishers of games/software use to distribute their products on the Steam platform.
It supports DRM (digital rights management), multiplayer, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving, and community-made content sharing (Steam Workshop).
Starting in late August and into September 2023, there has been an elevated number of reports about compromised Steamworks accounts and the attackers uploading malicious builds that infect players with malware.
Valve assured the gaming community that the impact of these attacks was limited to a few hundred users, who were individually informed of the potential breach via notices sent by the company.
To curb this problem, Valve will enforce a new SMS-based security check starting on October 24, 2023, which game developers must pass before pushing an update on the default release branch (not beta releases).
The same requirement will be enforced when someone attempts to add new users to the Steamworks partner group, which is already protected by an email-based confirmation. Starting October 24, the group admin must verify the action with an SMS code.
“As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing,” reads Valve’s announcement from earlier this week.
“The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now.”
“We also plan on adding this requirement for other Steamworks actions in the future.”
For those using the SetAppBuildLive API, Steam has updated it to require a steamID for confirmation, particularly for changes to the default branch of a released app.
Using ‘steamcmd’ to set builds live is no longer applicable for managing the default branch of released apps.
Also, Valve says there will be no workaround for developers without a phone number, so they must find a way to receive text messages to continue publishing on the platform.
Not a perfect solution
While introducing SMS-based verification is a good step towards achieving better supply chain security on Steam, the system is far from perfect.
One of the game developers, Benoît Freslon, explained that he was infected with an information-stealing malware that was used to steal his credentials.
Using these stolen credentials, the threat actor briefly pushed out a malicious update for the NanoWar: Cells VS Virus that infected players with malware.
Freslon explained on Twitter that Valve’s new SMS-based MFA security measure wouldn’t have helped stop the attack as the info-stealer malware snatched session tokens to all his accounts.
In a separate post on his website, the game developer explained that the attack occurred on Discord, with the threat actors tricking him into downloading and reviewing a Unity game named “Extreme Invaders.”
The game installer dropped a password-stealing malware on his computer, which targeted his Discord, Steam, Twitch, Twitter, and other accounts.
Until the tokens were revoked or expired, the attackers continued to access the developer’s accounts, remaining free to push malware-laced game updates to players.
Also, SMS 2FA is inherently vulnerable to SIM-swap attacks where threat actors can port the number of a game developer to a new SIM and bypass the security measure.
A better and more modern solution would be to enforce authenticator apps or physical security keys, especially for projects with large communities.