blackjew
Mil pontos, LOL!
- Mensagens
- 13.916
- Reações
- 7.350
- Pontos
- 1.229
Basicamente um carinha encontrou uma vulnerabilidade no cliente do Steam para Windows que permite elevar privilégios sem conhecimento do usuário.
Até aí blz, nenhum software é totalmente livre de falhas. O problema é que o cara fez o processo direitinho pra reportar o erro e além de esbarrar em uma série de dificuldades no final a volvo ligou o f**a-se. Não aceitou o bug, não consertou nada e ainda queria proibir a publicação da vulnerabilidade.
Severe local 0-Day escalation exploit found in Steam Client Services
This trivially exploited security flaw allows any user root—er, LOCALSYSTEM—privileges.
arstechnica.com
Até aí blz, nenhum software é totalmente livre de falhas. O problema é que o cara fez o processo direitinho pra reportar o erro e além de esbarrar em uma série de dificuldades no final a volvo ligou o f**a-se. Não aceitou o bug, não consertou nada e ainda queria proibir a publicação da vulnerabilidade.
Timeline
June 15 — reported via HackeOne.
June 16 — marked as “N\A”, due to "Attacks that require the ability to drop files in arbitrary locations on the user's filesystem».
June 16 — reopened with my comments.
July 2 — vulnerability confirmed by HackerOne staff and submitted it to the appropriate remediation team for review.
July 20 — marked as “N\A”, "Attacks that require the ability to drop files in arbitrary locations on the user's filesystem." and "Attacks that require physical access to the user’s device".
August 7 — public disclosure (this paper).
Bonus
The thing is that it was decided to expand the timeline because of a quite interesting event which occurred during the preparation of this article:
July 20 — after the report was rejected, I informed H1, that I would disclose the details of vulnerability publicly after July 30.
August 2 — one more H1 employee appears in the thread and forbids the disclosure.
This article was ready for publication by July 30 (this date was chosen due to 45 days deadline since initial vulnerability report was sent). So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn’t offer any explanation to me. Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report. Most likely I’ll be banned at H1 because of it, but it won't make me upset.
UPD.
Yesterday (August 6, 2019) Steam was updated. No, problem is not fixed. File versions: 5.27.59.20 signed at 06 Aug 2019.