"In our opinion Valve must remove the passing of command-line parameters to games because it's too dangerous and they can't control how these third parties software can act with malformed parameters," the researcher said.
Valve did not immediately return a request for comment.
Earlier this month Valve started to distribute select non-gaming software titles through Steam. Vulnerabilities found in such applications might also be exploitable through steam:// URLs, Auriemma said.
"In the recent months Valve invested a lot in the Steam platform launching the beta version of Steam for Linux, adding the GreenLight service where users can vote what games they would like to see available on Steam, added the Software section, added more games and some highlighted games available full for limited time, tons of free-to-play games and much more," the researcher said. "There was no better moment to notice these issues than now."