Gladiator.TF 15/06/2023 Post-Mortem

[Cave]

Every site with the ability for users to log in via steam uses something called OpenID. 
This is a standardised authentication protocol commonly used for third-party logins on websites.
In any programming ecosystem a common practice is to use pre-existing packages. 
Usually one would consider a widely-used implementation to be more battle-tested and secure than something written by yourself. 
Unfortunately in this case a number of these implementations suffered from this same vulnerability (In our case we were using the “passport-steam” npm package). 
The underlying issue had gone unnoticed for years (in the case of this package: 12 years) and as I'm sure you are aware we were not the only ones hit. We were the testing grounds, before they moved to target CSGO gambling sites 1-2 days later. While there likely was more than one perpetrator, the combined losses between all parties exceeded 1 million dollars.

 

The attack was conducted as follows: 
The package did not sufficiently validate the data provided in the initial request, this information was then passed to the underlying OpenID implementation.
“node-openid” will reference several fields to decide how to process the authentication request.
If a server is OpenID 2 or a certain parameter is provided, it will use the correct steam endpoint
If a server is OpenID 1/1.1 it uses the endpoint provided in the login, which can be manipulated
The package then proceeds to check the user information against the chosen authentication endpoint - in this case, a fake server planted by the attacker that returns positive for any SteamID they submitted.

This appears to be the vector of attack used in both of the incidents.

During the first incident, the only account affected was cave’s, therefore it was easier to attribute to a coding error on our part, or perhaps his “session” being hijacked by an attacker, the XSS theory was also considered and investigated. A thorough code review was conducted and the database was checked for XSS vectors and unauthorised access. 

 

Unfortunately none of the proposed scenarios were in fact correct, against all odds it turned out that the widely-used implementation was at fault, this leads us to the incident that occurred on 15/06/2023. 

 

Approximately at 2:53 am GMT+2 the attack began.
By utilising the previously mentioned exploit the attacker would proceed to log in as each victim and then funnelled assets from them into throwaway accounts by either accepting pending trades on behalf of their bots or using excessive manual buy prices to steal keys.
It appears they initially spent time identifying the targets for the attacks and pre-configuring the bots for the attack.

1st trade:
3:13 am - Iron AJ
1154 keys

2nd trade
3:13 am - Dareos
2800 keys

3rd trade
3:13 am - Valpip
1605 keys

4th trade
3:15 am - Estel
2100 keys

5th trade 
3:18 am - Sultanamir
1390 keys

6th trade
3:20 am Apex
1124 keys

7th trade
3:22 am Sousou57
706 keys

8th trade
3:27 am Flaneur
Inventory ~ 49k$

9th trade
3:29 am Shawl
Inventory ~ more than 30k$

10th trade
3:31 am Sousou57
Inventory ~ 31k$

11th trade
3:33 am Apex
Inventory ~ 28.7k$

12th trade
3:34am Kepperbee
Inventory ~ 24k$

13th trade
3:37 am loz
Inventory ~ 18k$

14th trade
3:39am Requiem
Inventory ~ More than 18k$

15th trade
3:42am the big cheeze
952 keys

16th trade
3:43 am flaneur
1076 keys

17th trade
3:45 am gerald
887 keys

18th trade
3:47am Merendas
Inventory ~ 14k$

19th trade
3:50 am Neemo
734 keys

 

Since the attack occurred we have been monitoring item movements, and while the keys were laundered into cryptocurrency, the vast majority of stolen items are still unaccounted for and have not resurfaced.

The full list of items and their histories can be found here: 
https://gist.github.com/Moder112/4fc10d3eb85189f974def6fa6f021d37

 

The Mann Co Supply Crate Keys can be found separately on this list
https://gist.github.com/Moder112/d8be3cc3faeb191bdcfe8fb5fe085ab7

 

The individuals who lost money during this have requested for us to include this trade link for donations which go towards them.

We've had a lot of requests to donate, but we’d rather you donate to them: https://steamcommunity.com/tradeoffer/new/?partner=1548475422&token=8aOt91_R

This is an account owned by Loz and any donations will be redistributed to the victims.

 

This is also the first step towards accountability for this incident, as of right now, we are still deciding on how we are going to proceed, an announcement will be made in the near future to clarify the details.

[karma miguel]

12 year old exploit, dang that’s crazy.

 

[www.]

this is a great write-up that i feel answers a lot of questions and offers insight into the incident. i have some follow-up questions saved that i was waiting for a good time to ask, and this thread seems to be the best place/time:

• while logged in to accounts, did the attacker have access to any sensitive information of customers like IP addresses or credit card details/payment addresses from the subscription?
• outside of the list of users whose items were stolen, were there any additional accounts that were accessed without permission?
• if the IP address of the attacker was captured, can it be/was it used to scan to match other users in the community?

final 2 questions are re: "as of right now, we are still deciding on how we are going to proceed," on the chance gladiator.tf or similar projects return to the community at some point:

• would there be checks in place in the future to ensure customers have multiple forms of authentication for access to gladiator.tf?
• would you consider contracting a third-party to perform a security audit of the site? such as penetration testing, etc to ensure customer data and assets are safer from future attacks?

thanks for your time and i hope you're doing well, i appreciate this report and the transparency it offers to both traders and devs.

[Littlepudintater]

45 minutes ago, www. said:

this is a great write-up that i feel answers a lot of questions and offers insight into the incident. i have some follow-up questions saved that i was waiting for a good time to ask, and this thread seems to be the best place/time:

• while logged in to accounts, did the attacker have access to any sensitive information of customers like IP addresses or credit card details/payment addresses from the subscription?
• outside of the list of users whose items were stolen, were there any additional accounts that were accessed without permission?
• if the IP address of the attacker was captured, can it be/was it used to scan to match other users in the community?

final 2 questions are re: "as of right now, we are still deciding on how we are going to proceed," on the chance gladiator.tf or similar projects return to the community at some point:

• would there be checks in place in the future to ensure customers have multiple forms of authentication for access to gladiator.tf?
• would you consider contracting a third-party to perform a security audit of the site? such as penetration testing, etc to ensure customer data and assets are safer from future attacks?

thanks for your time and i hope you're doing well, i appreciate this report and the transparency it offers to both traders and devs.

Does he know? maybe Udemy didn't teach that! 

[Zeus_Junior]

2 hours ago, www. said:

this is a great write-up that i feel answers a lot of questions and offers insight into the incident. i have some follow-up questions saved that i was waiting for a good time to ask, and this thread seems to be the best place/time:

• while logged in to accounts, did the attacker have access to any sensitive information of customers like IP addresses or credit card details/payment addresses from the subscription?
• outside of the list of users whose items were stolen, were there any additional accounts that were accessed without permission?
• if the IP address of the attacker was captured, can it be/was it used to scan to match other users in the community?

final 2 questions are re: "as of right now, we are still deciding on how we are going to proceed," on the chance gladiator.tf or similar projects return to the community at some point:

• would there be checks in place in the future to ensure customers have multiple forms of authentication for access to gladiator.tf?
• would you consider contracting a third-party to perform a security audit of the site? such as penetration testing, etc to ensure customer data and assets are safer from future attacks?

thanks for your time and i hope you're doing well, i appreciate this report and the transparency it offers to both traders and devs.

no

no

yes

yes though forcing 2fa for bot owners, while good, is not something I think a casual bot trader wants

maybe

[LaughingLollipop]

In a typical trade Steam does provide mitigation for loss of account control.

 

The steam mobile authenticator trade confirmation function is/was intentionally bypassed by bots (auto confirming)

 

If this had not been the case, nothing could've been taken.

 

Effectively all the sites impacted by this bypassed Steam's own forced 2FA and didn't implement their own.

[CogsFixmore]

I saw this item move from the account that stole loads of stuff,  https://backpack.tf/item/1545152262. And is now in the hands of a The Nervous Pyro. https://backpack.tf/u/76561198114402400

So at some point the theif sold it to someone, then that person to Pyro, unsure why only that item was sold out of the ones the thief stole, i did msg pyro an warn him to be careful an it was stolen but that's all.

[RockSolidWood]

I mean this whole situation is really a giant learning curve, albeit a harsh one. A lot of people when bots surfaced through glad, initially bitched and moaned about their presence, and then got used to to them being around and all was well. Since they've been shut down, a lot of players have been panic selling of lower tier items, and a lot of items have taken significant hits to buy/sell orders. Its really something difficult to maneuver for the trading community but we'll all cope as we have in the past.

[m.richer]

Wow. This is a really helpful and insightful write-up, thank you for this and everything you've done for the community, Cave. With bots being around for so long, who would have known such a vulnerability existed. For some reason, it sorta reminds me of the whole log4j vuln since it also existed in known code packages and was also around for years before it was discovered. Pretty sure it also had to do with setting up an attack server to pull it off. It was only a matter of time someone would dig through supporting code libraries to find it. Sorry for the loss of everyone affected by this, but to be completely honest, it would seem this is the risk and cost of doing business via bot trading (hence why I never used trading bots in the first place, especially when even something "legit" could go so wrong like the buy order ordeal during the 2019 "crate depression"). It's a shame to see the end of a trading era this way, but hopefully a new era of trading will be reborn better than the last.

[dareosthefishcake]

Just wanna point out that I hold the wold record for most keys pure scammed. Get on my level....

 

Dareos #1

[Guccifish]

1 hour ago, dareosthefishcake said:

Just wanna point out that I hold the wold record for most keys pure scammed. Get on my level....

 

Dareos #1

common Dareos W

[Flamadin]

I would hope that maybe Valve could lock all the ususuals that were stolen down, then work on returning them to the rightful owners.

 

You have the list here, and Valve can see them anywhere.

 

It's not impossible.