A 0day vulnerability was identified in the Steam Windows Client by Vasily Kravets, a security researcher, but was utterly ignored by Valve. The researcher then published all the details about the exploit.

Hackers and security researchers are always looking for vulnerabilities, in software, websites, services, and so on. Usually, the reasons are straightforward. They just want to know if they can do it. Other times, some kind of monetary reward is in play.

In the case of this particular vulnerability, Vasily Kravets was just checking the security of the Steam Windows Client, when he identified a problem. It’s a little bit complicated, but as Vasily Kravets explains, the end result is that the exploit allows any program to run with the highest possible rights on any PC that as Steam installed.

In theory, one of the thousands of developers that are publishing stuff through Steam, could take advantage of this vulnerability and infect the host computer with ease.

Surprisingly, the exploit comes second

You might think that Valve would hurry to close the vulnerability as soon as they found out about it, but you would be wrong. Vasily Kravets informed Valve about the problem, but they initially said that it’s not applicable. The researcher used a backchannel and finally, Valve took notice, but only to ignore the exploit once more.

In fact, the exploit which was reported on HackerOne was marked "Attacks that require the ability to drop files in arbitrary locations on the user's filesystem" and "Attacks that require physical access to the user’s device"..

Keep in mind that all of these steps are not transparent to the public, which gives the company a chance to plug the exploit before it becomes public. And this is exactly what happened when Vasily Kravets published all the details about the exploit.

From the looks of it, Valve continues to ignore the issue, and they even released an update for the client, but without the fix. As it stands right now, the exploit is out in the open and Steam users are exposed.

You can read the full report on the exploit on amonitoring.ru.