- How to watch ‘Game of Thrones’ season 8, episode 2 for free Today 7:00 AM
- Gendry is making a new weapon for Arya Stark—but what is it? Today 6:30 AM
- The live-action Halo series could be Showtime’s most ambitious project yet Today 6:00 AM
- How to watch Turner Classic Movies for free Today 5:30 AM
- How to watch Real Madrid vs. Athletic Bilbao online for free Today 5:00 AM
- ‘Star Trek’s Jonathan Frakes calls out your lies with this new meme Saturday 3:46 PM
- #JusticeForLucca trends after video shows police slam Black teen’s head into pavement Saturday 3:11 PM
- The internet is shocked to learn that Goombas do, in fact, have arms Saturday 2:02 PM
- PayPal, GoFundMe cut off armed militia that detains migrants at border Saturday 1:16 PM
- Barnwood theft may be on the rise because of ‘Fixer Upper’—and fans aren’t having it Saturday 12:23 PM
- Literary Twitter calls out Dzanc Books for Islamophobic, racist novel Saturday 11:40 AM
- How to watch Crawford vs. Khan online Saturday 10:00 AM
- Beyoncé has 2 more projects coming to Netflix after ‘Homecoming’ Saturday 9:53 AM
- How to watch Danny Garcia vs. Adrian Granados for free Saturday 9:00 AM
- The ‘Feeling Cute Challenge’ turns ugly after correctional officers abuse it Saturday 7:30 AM
Steam accounts were vulnerable to serious password-reset bug for 4 days
It wasn’t a hack, but it was just as bad.
Video-game streaming service Steam has been vulnerable to a serious password exploitation technique since at least July 21, and if not for five-day bans on password changes, plenty of Steam users could have been in big trouble.
The method for gaining unauthorized access to Steam accounts barely qualified as a hack. Password reset requests generate an email to the address of the Steam user in question. That email includes a code that must be entered for the reset process to proceed. But the password reset bug skipped the code phase and allowed a reset without any verification.
In other words, if someone knew your Steam account name—say, if you streamed your games on Twitch and your login window was visible—they could access your account, change your password, and effectively lock you out.
YouTuber Elm Hoe demonstrated the process in a video uploaded on Saturday. He also reported in the comments that, after releasing the video, “around 2000” people attempted to use the method to access his account.
Elm Hoe also reported that the Steam account vulnerability was patched ten minutes after he posted the video.
Steam automatically applies a five-day ban on trading items following a password reset and a seven-day ban on trading items when a Steam account is accessed from a new IP address. These measures should have protected anyone whose account was compromised using this bug.
Based on reports from users who were locked out of their accounts due to the bug, Valve apparently did not alert Steam users to the problem immediately after discovering it.
In fact, in a statement issued to Kotaku, Valve said that it only discovered the password reset bug on July 25 and that the problem could have affected accounts from July 21 through July 25.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or [that] may have otherwise been affected,” Valve said in the statement. “Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.”
Valve also said that while hackers could have changed account passwords by exploiting the bug, no hacker would have been been able to see an account’s original password, and that if Steam’s two-factor authentication, Steam Guard, were activated, any account accessed through the bug would still have been protected from unauthorized logins.
Illustration by Jason Reed
Dennis Scimeca was the Daily Dot's gaming reporter until 2016. He loves first-person shooters, role-playing games, and massively multiplayer online games. His work has appeared in Salon, NPR, Ars Technica, Kotaku, Polygon, Gamasutra, GamesBeat, Paste, and Mic.