Scum Lifetime Server mieten - eine Liebeserklärung
1 Worst Scum Server Hosting - 🔫 SCUM Game Servers at ZAP-Hosting a Lovestory! ðŸ§
Durch eine Fehlkonfiguration kann jeder Kunde die Steam accountdaten des Users auslesen mit dem zap-hosting die Gameserver ihrer Kunden aus Steam heraus installiert oder updated. Es ist möglich mit diesen Daten den Account zu übernehmen, die verknüpfte e-mail Adresse zur Wiederherstellung und das Passwort zu ändern.
Nicht nur würde danach das Installieren aller Steam Games bei allen ZAP Kunden fehlschlagen (falsches Passwort) die komplette Game Bibliothek des Users währe auch für Zap verloren und müsste neu gekauft werden.
Im Zuge des Bug Bounty Programms und wegen des Karma an Zap gemeldet.
- 12.03.2026 wegen eines anderen ZAP-Hosting uppsalla die Dateien auf dem Useraccount überprüft, im Steamcmd logfile gesehen das mit username / passwort authentifiziert wird. Keine Lust mehr genauer hinzusehen, Logs gesichert und auf später vertagt
- 18.03.2026 16:00 Uhr gelangweilt genug um genauer hinzusehen - Jupp username + Passwort des Steamuser sind für (je)den Kunden in Klartext abrufbar
- 19.03.2026 08:30 Uhr über https://zap-hosting.com/en/security/ Ticket eröffnet und Bug geschildert
- 23.03.2026 06:48 Uhr Support fragt nach Details
- 23.03.2026 10:22 Uhr mit mehr Details geantwortet
- 25.03.2026 12:18 Uhr Ticket wurde geschlossen "This issue has already been reported and is currently being investigated already"
- 23.04.2026 17:00 Uhr Diesen Text veröffentlicht, es wurde kein Bug Bounty ausgezahlt nach https://zap-hosting.com/en/security/ (natürlich nicht)
Security Assessment Report – Improper Use of Steam Credentials in Deployment Automation
Ticket #1332324Status: Standard-Ticket
Speed-Up
Booster
Status von offen auf geschlossen gesetzt.
26.03.2026 , 09:13 Uhr
Hi dasKelli,
Thank you for your feedback, we ask this information in the context of our bug bounty program (https://zap-hosting.com/en/security/) in order to efficiently investigate and fix possible security issues with no ambiguity.
This issue has already been reported and is currently being investigated already
Herzliche Grüße / Best regards,
Eric M.
2nd Level Support - FiveM Teamleader
Eric M. (25.03.2026, 12:18 Uhr)
Gute Antwort? Schlechte Antwort? Bewerte sie!
Top Supporter? Gib ihm ein Trinkgeld ;-)
Sure, I'd be happy to explain to zap-hosting support how zap-hosting works.
For the installation/upgrade of a Steam-delivered game, a steamcmd installation is located in the customer's user directory, i.e. /g685268/scum/steamcmd/ and its executable steamcmd.exe is called directly with the hard-coded username/password when the customer accesses the web interface via the "Install Steam Game" / "Validate Steam Game" / "Update Steam Game" options.
In. the. user-controlled(!) directory. an. executable(!) to. which. the. user. has. rwx(!) permissions. and wich. the. user. can. run. anytime. over. the. webinterface. with. "validate steamgame".
I dont know why i even have to explain anything further on this point.
- Nobody would put that in the user directory; there's no reason to.
- But if they did, they would call it with the user "Anonymous." There's no reason to use a real Steam user.
( see https://developer.valvesoftware.com/wiki/De/SteamCMD#Anonym )
- But if they did, they would use a dummy Steam user, not a private account belonging to a zap-hosting employee with a circle of friends, family sharing, and a valuable library of over 200 games.
- But if they did, bc yolo, then one would call the parameters username + password via a script file *WHICH WILL NOT BE LOCATED IN THE USER DIRECTORY* like /userpath/steamcmd.exe +runscript /nonreadablebyuser/updateparameters.script
( see https://developer.valvesoftware.com/wiki/De/SteamCMD#Ein_Skript_erstellen )
But if one doesn't do any of that, because there are no elementary security principles present, what exactly would stop a data traveler from replacing steamcmd.exe with an exposepassword2me.exe in their user directory, to which they have FTP read/write access?
(plain/txt in the year 2026, by the way, which wasn't even acceptable in 2013 but nobody expects anything behind this point)
Exactly. I don't know either.
And that's like the Steam
user ID: 1083XXXXXXXXXXXXX
username: urbXXXXXXXXXXXXX
password: XXXXXXXXXXXXXXXX
exposed to every customer who isn't exceptionally impressed with the quality of zap-hosting.
How did I find them?
They're right there. Completely unnecessarily. in plain sight.
Did i check if People who do something like this also would use the same password on other services? No! of course not! Nobody would do anything like this!
dasKelli (23.03.2026, 10:22 Uhr)
Hi dasKelli,
Thank you for the report.
Could you please provide a bit more detail so we can check this properly?
1) Where exactly are these credentials exposed?
2) How did you find them, and what method can be used to retrieve them?
Once you send that information, we can review the impact and possible solution.
Herzliche Grüße / Best regards,
Eric M.
2nd Level Support - FiveM Teamleader
Eric M. (23.03.2026, 06:48 Uhr)
Gute Antwort? Schlechte Antwort? Bewerte sie!
Top Supporter? Gib ihm ein Trinkgeld ;-)
19/3/2026
zap-hosting.com
kk
### 1. Executive Summary
This report outlines a critical security misconfiguration identified within the service provider’s deployment and update infrastructure. The issue stems from the use of a *personal Steam account belonging to an employee* within automated scripts (SteamCMD), rather than the recommended anonymous authentication method.
Given that SteamCMD explicitly supports anonymous usage, the decision to implement authenticated access in this manner is, at best, indefensible. It results in the widespread exposure of sensitive credentials to all customers—and, by extension, any malicious actors with minimal technical capability.
### 2. Description of the Issue
The provider utilizes a SteamCMD script configured with **hardcoded credentials of a real employee’s real Steam account**. These scripts are distributed or otherwise accessible to customers as part of the service offering.
This implementation results in:
* Disclosure of the employee’s **Steam username and password**
* Replication of these credentials across multiple customer environments
* Lack of credential isolation or access control
It is worth noting that SteamCMD explicitly supports **anonymous login**, which avoids precisely this type of situation.
### 3. Security Impact
The exposure of valid Steam credentials introduces multiple high-risk attack vectors. Any customer—or external party who gains access to these scripts—can:
#### 3.1 Financial Abuse
* Purchase digital content using the compromised account
* Send purchased items as gifts, effectively laundering value
#### 3.2 Asset Theft
* Transfer inventory items via Steam trading mechanisms
* Convert items into monetary value through third-party marketplaces
#### 3.3 Account Compromise & Persistence
* Change account credentials (password and email)
* Lock out the legitimate account owner
* Prevent recovery by altering associated recovery mechanisms
#### 3.4 Abuse of Trust Relationships
* Distribute malicious links or phishing messages via the account to contacts
* Target the account’s friend network for further compromise
#### 3.5 Service Disruption
* Break all SteamCMD-based update and installation workflows relying on this account
* Cause widespread operational failure for all customers using the affected scripts
In short, the current setup offers attackers a fully functional account with zero barriers and no oversight.
### 4. Risk Assessment
| Category | Severity |
| --------------- | ------------ |
| Confidentiality | Critical |
| Integrity | Critical |
| Availability | High |
| Overall Risk | **Critical** |
Given the trivial effort required to exploit this issue, the absence of mitigating controls, and the scale of exposure, this vulnerability should be treated as **urgent and systemic**.
5. Root Cause Analysis
The root cause is not technical complexity but rather a complete absence of basic security judgment:
* Use of personal credentials in production-distributed scripts
* Failure to utilize built-in anonymous authentication mechanisms
* Lack of any credential management or access control strategy
* No apparent review, validation, or risk assessment process
This is not a subtle misconfiguration; it is a direct consequence of neglecting elementary security principles.
### 6. Recommendations
To remediate the issue, the following actions are strongly advised:
#### Immediate Actions
* Revoke and reset the exposed Steam account credentials
* Enable Steam Guard and additional account protections
* Audit account activity for unauthorized transactions or actions
#### Short-Term Fixes
* Replace all authenticated SteamCMD usage with **anonymous login**
* Remove all hardcoded credentials from scripts and distributions
* Redistribute corrected scripts to all customers
#### Long-Term Improvements
* Implement secure credential management practices (e.g., secrets vaults)
* Conduct regular security audits of deployment processes
* Establish clear policies prohibiting the use of personal accounts in production systems
### 7. Conclusion
This situation represents a preventable security failure with significant potential consequences—not only for the affected employee but also for customers and the provider’s operational stability.
While the underlying fix is straightforward, the continued existence of this issue suggests a concerning gap in security awareness and process oversight. Addressing it promptly would not only mitigate immediate risk but also demonstrate a baseline commitment to responsible system administration.
(19.03.2026, 08:24 Uhr)