- Everything you need to know about Juul batteries 4 Years Ago
- Trump is trying to use Beto as a scapegoat for inaction on gun control 4 Years Ago
- Instagram influencer says her account was banned over ‘sexual’ pregnancy photo Today 10:23 AM
- YouTube time traveler emotionally describes floating cities in the year 2300 Today 10:15 AM
- Trump’s former campaign manager admits to lying to the media—gets CNN appearance Today 10:15 AM
- Kyrsten Sinema may face a censure vote—and net neutrality is a big reason why Today 8:36 AM
- Recreate a Hogwarts holiday with the LEGO ‘Harry Potter’ Advent calendar Today 8:27 AM
- How to stream Titans vs. Jaguars on Thursday Night Football Today 8:26 AM
- 24 Halloween costumes so weird all you can do is laugh Today 8:13 AM
- Night Monkey finally gets the trailer he deserves Today 8:04 AM
- All the TV series and films coming to AppleTV+ Today 8:00 AM
- How to watch ‘American Horror Story: 1984’ Today 7:00 AM
- What’s new in Call of Duty: Modern Warfare? Today 7:00 AM
- ‘Carole and Tuesday’ is a feast for the eyes, ears, and heart Today 6:30 AM
- Tara Booth’s Instagram art embraces the comedy in mental health struggles Today 6:00 AM
Steam accounts were vulnerable to serious password-reset bug for 4 days
It wasn’t a hack, but it was just as bad.
Video-game streaming service Steam has been vulnerable to a serious password exploitation technique since at least July 21, and if not for five-day bans on password changes, plenty of Steam users could have been in big trouble.
The method for gaining unauthorized access to Steam accounts barely qualified as a hack. Password reset requests generate an email to the address of the Steam user in question. That email includes a code that must be entered for the reset process to proceed. But the password reset bug skipped the code phase and allowed a reset without any verification.
In other words, if someone knew your Steam account name—say, if you streamed your games on Twitch and your login window was visible—they could access your account, change your password, and effectively lock you out.
YouTuber Elm Hoe demonstrated the process in a video uploaded on Saturday. He also reported in the comments that, after releasing the video, “around 2000” people attempted to use the method to access his account.
Elm Hoe also reported that the Steam account vulnerability was patched ten minutes after he posted the video.
Steam automatically applies a five-day ban on trading items following a password reset and a seven-day ban on trading items when a Steam account is accessed from a new IP address. These measures should have protected anyone whose account was compromised using this bug.
Based on reports from users who were locked out of their accounts due to the bug, Valve apparently did not alert Steam users to the problem immediately after discovering it.
In fact, in a statement issued to Kotaku, Valve said that it only discovered the password reset bug on July 25 and that the problem could have affected accounts from July 21 through July 25.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or [that] may have otherwise been affected,” Valve said in the statement. “Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.”
Valve also said that while hackers could have changed account passwords by exploiting the bug, no hacker would have been been able to see an account’s original password, and that if Steam’s two-factor authentication, Steam Guard, were activated, any account accessed through the bug would still have been protected from unauthorized logins.
Illustration by Jason Reed
Dennis Scimeca was the Daily Dot's gaming reporter until 2016. He loves first-person shooters, role-playing games, and massively multiplayer online games. His work has appeared in Salon, NPR, Ars Technica, Kotaku, Polygon, Gamasutra, GamesBeat, Paste, and Mic.