Steam uses insecure, out-of-date Chromium browser

Valve has integrated a custom version of the Chromium web browser in its Steam client that displays web content to Steam users.

If the past couple of weeks have shown anything, it is that custom Chromium or Chrome versions are a security risk more often than not.

Google analyzed third-party implementations of its Chromium browser recently, and came to the conclusion that they made user systems less secure despite claiming the opposite.

The main reason for this was that companies disabled security features of the Chromium browser, or circumvented them.

mod apk

Valve’s Steam client uses a custom version of Chromium as well, and it turns out that this version is also insecure.

Chromium Embedded Framework (CEF) is an extension of the Chromium browser rendering engine, an open-source project which is a component of Google Chrome.

The Steam client on Windows and OS X uses a customized version of CEF to render web content.

A user reported his findings on the official Valve Software Github repository, stating that the built-in version of Chromium was outdated and running without sandbox.

The chromium browser on steam is based on version 47, a vulnerable and out of date version.

Chromium runs with –no-sandbox by default on steam.

The most recent version of Chromium is version 50 currently, which means that the chromium browser used by Steam is out of date.

Google fixed several security issues in these newer versions of Chromium leaving the Steam version of the browser vulnerable to them.

steam vulnerable

The sandbox, enabled by default in Chromium, allows for the creation of sandboxed processes which run in restrictive environments. The sandbox protects the underlying system and data on it among other things from malicious processes.

Chrome users can use the parameter –no-sandbox to disable the sandbox in Chrome, but doing so removes its protective features and leaves the system wide open for attacks.

Both bugs have been recognized by Valve, and a user has been assigned to each of them. A target milestone is not listed yet though and there is no indication when the security issues will be fixed by Valve.

Steam users should consider using an external up-to-date web browser for the time being instead of the built-in Steam web browser until the issues are fixed by Valve.

Rob Joyce, chief of the NSA’s Tailored Access Operations (TAO) mentioned recently that Steam is a popular attack vector.

steam games security threat


Article Name

Steam uses insecure, out-of-date Chromium browser


The Steam client uses an out-of-date, insecure version of the Chromium web browser currently to display web content.


Martin Brinkmann


Ghacks Technology News


About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook, Twitter or Google+

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at