this post was submitted on 11 Aug 2025
182 points (97.9% liked)

Linux Gaming

20717 readers
53 users here now

Discussions and news about gaming on the GNU/Linux family of operating systems (including the Steam Deck). Potentially a $HOME away from home for disgruntled /r/linux_gaming denizens of the redditarian demesne.

This page can be subscribed to via RSS.

Original /r/linux_gaming pengwing by uoou.

No memes/shitposts/low-effort posts, please.

Resources

WWW:

Discord:

IRC:

Matrix:

Telegram:

founded 2 years ago
MODERATORS
monolalia@lemmy.world
182
What is stopping someone from creating a keylogger disguised as a typing game and uploading on Steam? (lemmy.umucat.day)
submitted 1 week ago* (last edited 1 week ago) by xavier666@lemmy.umucat.day to c/linux_gaming@lemmy.world
33 comments fedilink hide all child comments
 

I recently saw the game called "Bongo Cat" on Steam which monitors yours keystrokes and accordingly plays the bongo drums. I saw that it was not working properly on Wayland because it does not allow the game to record keystrokes from other apps.

This got me thinking; how does ~~Steam~~ Valve protect us from malware? I was searching for "steam games malware" on DDG and found out that there were a few incidents regarding this. I understand that Steam probably has a robust mechanism for understanding game behavior but it's kind of a black-box for us.

Is there any independent vulnerability checker for games? How paranoid should one be before downloading games from steam?

PS: I know that as Linux users, most attack vectors don't work for us but it's good to be aware just in case.

Edit: I need to clarify. I know Steam is just a game-launcher, it's not supposed to protect the user after the game is installed. I meant to say how does Valve protect the user from malicious games? Is their mechanism known?

top 33 comments
sorted by: hot top controversial new old
[–] savvywolf@pawb.social 89 points 1 week ago

As I understand it, Steam has a report feature on their store page for reporting games. Presumably that goes to a person that looks at it.

I think to upload games to Steam you also need to prove your identity. Which means if you do upload malware, then it's easy to track you down.

Of course, that takes time and things can slip through the cracks. Steam games are still full programs that run on your computer and can do anything a regular program can do, there's no sandboxing.

Treat them like you would apps on the Google Play store; assume that they're mostly safe but also give additional scrutiny to ones with low review counts or AI generated images.

[–] Mwa@thelemmy.club 35 points 1 week ago (1 children)

Rare time seeing the Wayland Feature protecting you from keystrokes.

[–] r00ty@kbin.life 5 points 1 week ago (3 children)

Won't protect you from a steam game, that runs in XWayland, which allows global hotkeys (and effectively I guess key monitoring). But yes, overall it's a nice security feature.

[–] domi@lemmy.secnd.me 28 points 1 week ago (2 children)

The default setting (at least for KDE) is to only send Meta, Control, Alt and Shift as well as any key you type while they are held.

There is also an option to disable it completely or send everything.

[–] r00ty@kbin.life 5 points 1 week ago

Aha OK. That's better than I expected then! Thanks for that. Running KDE Plasma here and I know CTRL works because I use it as PTT in several apps over XWayland. I just assumed they allowed them all.

[–] swelter_spark@reddthat.com 3 points 1 week ago

Cosmic has the same options.

[–] that_leaflet@lemmy.world 18 points 1 week ago

Xwayland doesn’t have all keystroke access, though Plasma does have a feature that lets you do just that.

[–] Mwa@thelemmy.club 2 points 1 week ago

Oh yeah,I forgot about xwayland apps.

[–] prole@lemmy.blahaj.zone 31 points 1 week ago (1 children)

I saw that it was not working properly on Wayland because it does not allow the game to record keystrokes from other apps.

I did not know Wayland did this. That's awesome.

[–] thevoidzero@lemmy.world 27 points 1 week ago (1 children)

Yeah, Wayland has a lot of security related things that makes your previous solutions not work. X11 was open and allowed you to do anything, but Wayland is secure, and we trade convenience for security.

Communication with other applications and system wide monitoring was easy for scripts in x11.

[–] mugita_sokiovt@discuss.online 9 points 1 week ago

There's actually a keylogging attack for Wayland, which is an LD_PRELOAD vulnerability that can be exploited. I wonder if that attack is still viable.

[–] dreadbeef@lemmy.dbzer0.com 23 points 1 week ago (1 children)

I understand that Steam probably has a robust mechanism for understanding game behavior

I mean maybe they run your game in a monitored environment and record what kinds of things you do behind the scenes, but that's a lot to ask for for every game uploaded. I honestly very much doubt it.

[–] cryptTurtle@piefed.social 6 points 1 week ago

I would expect that to either happen in a lightweight automated fashion and/or only be done manually when something is actively being investigated due to reporting

[–] kbal@fedia.io 17 points 1 week ago (1 children)

Gaben would come to your house and arrest you.

[–] xavier666@lemmy.umucat.day 7 points 1 week ago (1 children)

Gaben pls

[–] somerandomperson@lemmy.dbzer0.com 5 points 1 week ago* (last edited 1 week ago) (1 children)

I don't have an picture editor,so

Imagine a picture of angry gaben was here

[–] nickwitha_k@lemmy.sdf.org 16 points 1 week ago

IIRC, there was a recent case of a malware being discovered and quickly taken down.

[–] r00ty@kbin.life 15 points 1 week ago (1 children)

In general steam is going to run a .exe for a game, and as such that's really going to be able to do anything a user process can do under windows (or linux if it has a dedicated linux binary). Steam doesn't run games inside a sandbox. That includes prompting the user to elevate the process to admin, and if the user clicks yes, being able to do anything an admin level process can.

There may well be some pass/fail testing before they will list a game, and for sure if there were reports showing a game was doing something malware/illegal they would certainly investigate/remove games that breach this.

But, steam is not a protection in and of itself.

[–] prole@lemmy.blahaj.zone 5 points 1 week ago (3 children)

Forgive me as I haven't used Windows to game in years, but people have to allow admin access to play games?

[–] r00ty@kbin.life 9 points 1 week ago (1 children)

I would argue most don't need it. But my point was that steam don't (maybe cannot?) stop it. They run the .exe. If the exe asks for admin and the user grants it, they have admin. So a malicious "game" could definitely do this.

[–] prole@lemmy.blahaj.zone 1 points 1 week ago (1 children)

I guess... But maybe people shouldn't grant admin access to the game they launched through Steam.

Then again, basic computer literacy seems to be at a premium these days...

[–] Ghoelian@lemmy.dbzer0.com 1 points 1 week ago

Also windows shows that prompt way too often. Most people I know just click yes without thinking.

[–] wioum@lemmy.world 8 points 1 week ago

Mostly very old games and those with anticheat.

[–] unique_hemp@discuss.tchncs.de 1 points 1 week ago

Usually not on every launch, but a lot of first time launch installers require it.

[–] tal@lemmy.today 10 points 1 week ago* (last edited 1 week ago) (1 children)

This got me thinking; how does Steam protect us from malware?

In the sense of isolating games like a mobile app is on a mobile OS or something? It doesn't, not as it's installed normally. If you can do something, the game you're running can. Steam doesn't isolate individual games, and Steam is not, as it's normally installed, isolated.

Wayland won't let a random window on the screen see keystrokes going to others, but because the games aren't normally running in isolation, they can fiddle with the environment such that they can do whatever. Wayland's "keystroke" isolation is only useful if the software also can't muck with your files; it's intended to be used in conjunction with other forms of isolation.

I understand that it's possible to use Steam packaged as a flatpak, which will isolate the Steam environment as a unit, including Steam and games.

investigates

https://flathub.org/apps/com.valvesoftware.Steam

Steam is potentially unsafe

  • User device access
    Can access hardware devices such as webcams or gaming controllers
  • Music subfolder xdg-music
    Can read all data in the directory
  • Pictures subfolder xdg-pictures
    Can read all data in the directory
  • User runtime subfolder app/com.discordapp.Discord
    Can read and write all data in the directory

Assuming that those are the only filesystem permissions it has

and I don't have experience with flatpak, so I wouldn't use me as an authority

then it should prevent anything in the container from doing things like grabbing SSH and GPG keys, stuff like that. A malicious game in the flatpak could still grab your Steam credentials or information from other games and muck with those.

  • Legacy windowing system
    Uses a legacy windowing system

Not an issue if you're using Wayland, since it'll be using xwayland, which itself is isolated.

  • Network access
    Has network access

You cannot deny network access to the flatpak, as Steam will need that to work.

Some Steam games can be run outside of Steam, don't need to talk to it, and for those, you can explore other isolation options. Can maybe cut off network access using firejail or something like that.

  • Microphone access and audio playback
    Can listen using microphones and play audio without asking permission

  • Proprietary code
    The source code is not public, so it cannot be independently audited and might be unsafe

[–] xavier666@lemmy.umucat.day 2 points 1 week ago (1 children)

Thanks for the detailed response.

I guess if I'm not using Flatpak, the games have access to my entire home directory. Sounds a bit risky, but I trust that Valve is testing the games before releasing the game to the store.

But this seems like a single point of failure.

[–] tal@lemmy.today 1 points 1 week ago* (last edited 1 week ago)

I have no idea whether they try to audit for malware, but even if they do, it would be difficult to identify malware from just invoking a binary. It's not uncommon for malware to only become active under specific conditions, precisely to make it harder to identify.

[–] Phoenix3875@lemmy.world 5 points 1 week ago (2 children)

There are two cases.

When you run a game, the game is allowed to monitor your input (up to some configuration), so you shouldn't e.g. open a game and do online banking at the same time.

When the game installs a malicious software such that your input is monitored even when you're not running the game, then you can only rely on the additional defense mechanism. However, this is similar to all other software.

[–] xavier666@lemmy.umucat.day 3 points 1 week ago

One needs to trust a game like any other proprietary software. That seems like a good rule of thumb.

[–] tal@lemmy.today 1 points 1 week ago* (last edited 1 week ago)

When you run a game, the game is allowed to monitor your input (up to some configuration), so you shouldn’t e.g. open a game and do online banking at the same time.

I mean, once you invoke a game once outside a sandbox, all bets are off from that point on. It can modify your environment to do whatever from that point on. Like, it could, oh, modify your ~/.bashrc to invoke some keylogger binary that it drops off somewhere in your home directory. Just closing the game isn't going to be a reliable mechanism for preventing malware in a game from dicking with the system after that point.

[–] carpelbridgesyndrome@sh.itjust.works 5 points 1 week ago

They may not remove Nazi communities but anecdotally they seem to remove malware quickly. I do suspect though that there is other iffy software on steam so do pay attention.

[–] G0rb@infosec.pub 2 points 1 week ago

I love hunting Lumma-Stealer C2 Accounts in Steam.