About two months ago, my little girl gave me a great present for my birthday and i got Call of Duty Modern WarFare 2 (I <3 C0D).
The "steam browser" had/has some limitations:
Lots of minutes of game later, I decided to check security in Steam Website and i got very interesting results.
WebSite was vulnerable to XSS/HTML Injection and it could be exploited to steal cookies of users. I made a PoC showing how to launch the vulnerabilities using any browser (where xss was allowed) or "steam" schema uri (steam://openurl/) due to steam used its own internal browser.
The "steam browser" had/has some limitations:
- This browser didn't/doesn't allow to change the url -> Solution was schema uri.
- This browser had/has an url length restriction -> Solution was to use an evil JS file hosted anywhere.
- So, these would be simple PoCs.Get var "os" was vulnerable: http://store.steampowered.com/search/?os=mac%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E%3C!--&category1=998&category2=9
- Get var "category1" was vulnerable: http://store.steampowered.com/search/?os=mac&category1=998%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&category2=9
Fig.1: Triggering one simple PoC.
Fig. 2: Session Hijacking PoC.
I also recorded a video showing how the issue could be exploited.
Watch in youtube: here
I made my game more secure but they (steam-website security team) didn't give me a present like a new nice game.
Be safe ;)
