Valve has reported that in recent months, the number of complaints about hijacking developer accounts on Steam, from which game builds infected with malware are published, has increased. To prevent such cases, the company has introduced additional security measures, reports Bleeping Computer.
From now on, all developers on Steamworks will have to go through SMS verification before they can upload a new game build or add a new user to their partner group. These changes will take effect on October 24.
This system will help prevent such an active spread of malware through games, but it will not fix the problem completely. According to Benoit Freslon, the developer of NanoWar: Cells vs Virus, the attacker infected his PC with a program that stole all his credentials and SMS confirmation would not have worked in his case.
Hey Simon, I’m the developer of this game. ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA i s useless if the token is still active. I just used my dev account to release the game few hours before the hack I suppose.
— Benoît Freslon 👨💻 VideoGameCreation.fr (@BenoitFreslon) October 11, 2023
The malware has stolen the session tokens for all of his accounts. If these tokens have not been revoked or have not expired, the attacker will have access to the accounts and can do whatever they want.
In addition, the decision to use SMS confirmation is also vulnerable to SIM swapping attacks, in which attackers can transfer the developer’s number to a new SIM card and gain access to their account.
Nevertheless, Valve is moving in the right direction, and perhaps in the future we will see more new security measures that will help developers protect their community from such problems.