Steam custom clients - security

[terechgracz]

You can use groovy instead injecting jars

[dafels]

Would be good if there was a way for devs to highlight "trustable" clients that are known historically to not do any shady stuff, has good reputation and always make them show up always as first options in the workshop just to reduce the potential of some newb going through the list and downloading the wrong client

[gravesmerch]

seems the best security is checking mod thread on Wizard Tower, just to be sure you're using the real deal

[loftar]

This is a good question that I too (being a bit of a Steam noob) have been wondering about. To be clear, it's basically impossible to guarantee the security of a client, because:

• To begin with, as mentioned, clients are released on the Workshop without prior approval; and
• Even if I were to approve clients before they could be released, as also mentioned, there's no guarantee that what the author uploads actually matches the sources; and
• Even if it could be guaranteed to match, it's impossible for any one person, or even team of persons, to go through the sources meticulously enough to actually find every imaginable exploit (see the UCC, for example); and
• Even if it were, I've seen many clients include binary Jar files from other projects just as dependencies.

And I could continue.

Also, my understanding, and APXEOLOG seems to confirm this, is that this is the common case for mods on the Steam Workshop, and so if it works for other games, I'd kind of have to assume there's no reason for it not to work for Haven, right? I'm not sure exactly how well it works for other games, or why it works well if it does, but I can only assume that it's basically a matter of trust. I mean, fundamentally, this isn't even just true of mods, but of the games themselves to begin with.

I think loftar should put a disclaimer into the custom client launcher about the potential problems.

That's certainly fair. I wanted to do something like that on the Workshop page itself, but the description text has to be so short and can't contain line-breaks that I found it hard to fit in, and didn't even think to put it in the launcher itself, but I'll definitely do that.

Love to hear other opinions on the matter!

[Robertzon]

Two pieces about workshop viruses;
https://www.eurogamer.net/cities-skylin ... ed-in-mods
https://gmod.fandom.com/wiki/G-Man_Virus

at the end of the day, everything can happen and you just have to be cautious of workshop mods, use only reputable clients

[wafflecat]

Bottom line - use Steam if you want default client, otherwise compile and run a custom client from the forums. EZ

[vatas]

My rather layman understanding is that the most realistic attack-vector is limited to just stealing the passwords you input on the client to log in. Which obviously is still rather bad if you have a 1000 dollar hat collection.

Well, you can basically do anything in the system, since you'll be running your own code. But it's not really any different with any other game. Half of the Unity games are modded through the Harmony which is basically code injection. And all those mods are distributed through the steam workshop as well.

I think in the end it will be a matter of trust and name behind the client.

I managed to forget that Haven is a special case with the open-source client - in other games like WoW you'd be limited to any exploits in the API for injecting malware into an addon.

Also "just stealing the password" still requires a "phone home" -system (possibly including the obfuscation to hide it from the end user.) It would be entirely up to personal restraint to only use it for Haven passwords, and not for every possible bit of personal data that's could be even remotely valuable.

[loftar]

I managed to forget that Haven is a special case with the open-source client - in other games like WoW you'd be limited to any exploits in the API for injecting malware into an addon.

I don't really think Haven is that much of a special case. I don't know about WoW specifically, but my understanding is that many games achieve moddability basically through DLL injection, so such mods would also be entirely free to do whatever they wish. Even for games that perhaps have some higher-level API/scripting language, I doubt they are so thoroughly sandboxed and pentested that a crafty modder wouldn't be able to escape it.

[EnderWiggin]

I managed to forget that Haven is a special case with the open-source client - in other games like WoW you'd be limited to any exploits in the API for injecting malware into an addon.

I don't really think Haven is that much of a special case. I don't know about WoW specifically, but my understanding is that many games achieve moddability basically through DLL injection, so such mods would also be entirely free to do whatever they wish. Even for games that perhaps have some higher-level API/scripting language, I doubt they are so thoroughly sandboxed and pentested that a crafty modder wouldn't be able to escape it.

Even for games with official APIs there's pretty much always exists some form of script extender that injects into a game - because for modders any API is not enough.

[vatas]

Even for games that perhaps have some higher-level API/scripting language, I doubt they are so thoroughly sandboxed and pentested that a crafty modder wouldn't be able to escape it.

WoW has an official Addon support with Lua, a commonly used scripting language for various video game mods. I don't remember having ever heard of a WoW Addon with an "arbitrary code execution" -exploit, but I'm also definitely not someone in position to claim that it wouldn't be possible. Especially when lot of people play on unofficial servers with an older version of the client. (RCE, but it was in the client itself.)

Even for games with official APIs there's pretty much always exists some form of script extender that injects into a game - because for modders any API is not enough.

Minecraft has no official Lua support, but has a mod to enable it.

Going back to WoW: here's a example where someone performed malicious attack without any arbitrary code execution. Note that while the technical knowledge and programming effort required was relatively minimal, this was essentially a social engineering attack.

The reason why I was skeptical that Steam Workshop mod can do anything it wants with the system, was that I've never heard of someone downloading a Steam mod and it formatting their hard drive of something. However the entire malware "scene" (or whatever you'd like to call it) has thoroughly transitioned from "trolling or being a nuisance" to "for profit criminal activity" where unless you've been infected by a ransomware, the malicious code stealing your data (or just tracking you) would obviously do its best to be as unnoticeable as possible to the end user.

While not directly related, https://en.wikipedia.org/wiki/Virtual_machine_escape is an example how nothing in programming should be assumed to be 100% "watertight."