Computer World reports that the way browsers and other applications handle the "steam://" protocol URLs can be exploited by hackers, according to researchers from ReVuln. The Steam client can run on Windows and Mac OS X. Valve is currently testing a beta version of the client that supports Linux.
Researchers say that the Steam client registers itself as a steam:// URL protocol handler on install. When users click on a steam:// URL in a browser or a different application, the URL is automatically passed to the Steam client for execution. Steam:// URLs can activate Steam protocol commands that carry out a variety of actions including installs, uninstalls, updates, start games with certain parameters, backup files or perform other supported actions.
The problem according to researchers is that hackers can abuse these commands remotely on web sites and through other methods to trick users into executing these commands through maliciously crafted steam:// URLs. The other problem is that some browsers automatically pass these steam:// URLs to the Steam client without asking for confirmation from users.
"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."
Researchers also released a proof of concept video here.
Researchers say that the best way users can protect themselves is by manually disabling the steam:// URL protocol handler or use a browser that doesn't automatically execute steam:// URLs...
Source: Blue's News