The way Kravets tells is (Valve did not respond to a request for comment), the whole saga started earlier this month when he went to report a separate elevation of privilege flaw in Steam Client, the software gamers use to purchase and run games from the games service.
Valve declined to recognize and pay out for the bug, which they said required local access and the ability to drop files on the target machine in order to run and was therefore not really a vulnerability.
“I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence,” Kravets wrote. “Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though).”
Now, some two weeks later, Kravets has discovered and disclosed a second elevation of privilege flaw. Like the first, this vulnerability this flaw (a DLL loading vulnerability) would require the attacker to have access to the target’s machine and the ability to write files locally.
The Register then says something pretty stupid:
While neither flaw would be considered a ‘critical’ risk as they each require the attacker to already have access to the target machine (if that’s the case you’re already in serious trouble, so what’s another flaw)
It’s an escalation flaw, which means that as a normal user you can run things administrators are only supposed to run. That’s a problem.