Steam enforces SMS verification to curb malware-ridden updates

    Valve has announced that it will be implementing additional security measures for developers who publish games on Steam. This decision comes in response to a recent surge in malicious updates that have been spreading malware through compromised publisher accounts. To combat this issue, Valve will be introducing SMS-based confirmation codes as part of the security check process for developers pushing updates on the default release branch. The same SMS verification requirement will also be enforced for adding new users to the Steamworks partner group. These measures are set to go into effect on October 24, 2023.

    Valve’s decision to enhance security measures follows reports of compromised Steamworks accounts and the subsequent uploading of infected builds that harm players with malware. While Valve has assured the gaming community that the impact of these attacks has been minimal, they acknowledge the need for stronger security measures to prevent further breaches.

    The introduction of SMS-based verification is a step in the right direction for improving supply chain security on Steam. However, it is not a foolproof solution. One game developer, Benoît Freslon, recounted an incident where he was infected with information-stealing malware that allowed the attackers to briefly release a malicious update for one of his games. Freslon pointed out that the new SMS-based security measure would not have prevented this attack, as the malware had already gained access to his session tokens. This highlights the limitations of using SMS for two-factor authentication (2FA) and suggests that alternative solutions such as authenticator apps or physical security keys may be more effective, especially for projects with large communities.

    Valve acknowledges that the SMS-based security measure is not perfect but plans to add further requirements for Steamworks actions in the future. They have also updated the SetAppBuildLive API, which now requires a steamID for confirmation when making changes to the default branch of a released app. Developers without a phone number will not be able to find a workaround and must have a means of receiving text messages in order to continue publishing on the platform.

    In conclusion, Valve’s implementation of SMS-based confirmation codes is a positive step towards bolstering security on Steam. However, it is important to recognize the limitations of this method and the potential for SIM-swap attacks. Exploring alternative authentication options such as authenticator apps or physical security keys may provide a more robust solution in the long run.

    Latest articles

    Related articles