Steam’s new chat system launched with an egregious ‘spying’ exploit

Posted on July 26, 2018

Steam recently launched their new chat functionality that updates the user interface, updates your friends list functionality, and brings about some highly demanded chat features including voice chat. Alongside voice chat comes that ability to have group chats, post memes and Tweets, and general updates that align it more closely to modern chat services like Discord. The new system has a few kinks but for the most part it’s actually a very good update that you can discover more about here.

Unfortunately the new service launched with an unbelievably damaging exploit, the ability to listen to people’s microphones without them even being logged in to the voice chat session. The exploit was raised by reddit user Presistan in this thread and confirmed by a Valve employee a few hours later. Thankfully, the exploit has also been resolved with the following message:

“We fixed this, thanks for reporting. In the future, it is generally better to report anything you think might be a security issue on HackerOne where we can act on it without first telling the entire world how to exploit it. Then you can responsibly disclose the issue after a fix is out.

Fortunately, in this case, if you were kicked you continued to show up as in the voice chat in your own friends list, and you could leave from there. You were in a weird state transmitting but not receiving, but you would have still seen that you were in the voice chat.”

Steam Voice Chat

It’s a good thing Valve acted so quickly on the exploit because it’s one that raised serious concerns about privacy breaches, spying, and broader accusations of illegality. Being kicked from a group chat meant that you could no longer hear the others in the chat, but they could still hear you. Whilst the error was identifiable if you checked your Steam’s friends list, this is something very easy to overlook.

The glitch may have only existed for a matter of hours but with Steam’s massive install base there’s already reports flooding in of violations and individuals being the victim of spying. A very damaging start to an otherwise pretty great update.