October 15, 2023 at 01:53PM
Valve is implementing additional security measures on Steam to address the recent outbreak of malware being pushed from compromised publisher accounts. Starting October 24, game developers will be required to pass an SMS-based security check before pushing updates, and the same requirement will be enforced for adding new users to the Steamworks partner group. While the measure is a step towards better supply chain security, it is not foolproof. One game developer explained on Twitter that the SMS-based security measure would not have prevented an attack that stole his credentials and allowed malware-laced updates to be pushed to players.
Key takeaways from the meeting notes are:
1. Valve is implementing additional security measures on Steam in response to a recent outbreak of malware being pushed from compromised publisher accounts.
2. Steamworks is a set of tools and services used by developers and publishers to distribute their products on the Steam platform.
3. There have been reports of compromised Steamworks accounts and attackers uploading malicious builds since late August 2023.
4. Valve has notified affected users individually about the potential breach.
5. Starting from October 24, 2023, a new SMS-based security check will be enforced for developers pushing updates on the default release branch and for adding new users to the Steamworks partner group.
6. Steamworks account settings builds and new user additions will require phone numbers for verification.
7. The SetAppBuildLive API has been updated to require a steamID for confirmation.
8. Developers without a phone number will not have a workaround and must find a way to receive text messages to continue publishing on Steam.
9. While SMS-based verification is a step towards better security, it is not perfect and may not prevent attacks that steal session tokens or SIM-swap attacks.
10. A more modern solution, such as authenticator apps or physical security keys, may be considered for projects with large communities.
These are the main points from the meeting notes. Let me know if you need any further information or if there’s anything else I can assist you with.