- Amy Klobuchar reportedly ate salad with a comb, and Twitter’s got questions 4 Years Ago
- Nobody likes Spotify’s new update 4 Years Ago
- Student assaulted on campus while tabling for right-wing group Today 1:56 PM
- Kim Kardashian West sues fashion company for using her likeness to sell clothes Today 1:12 PM
- The Oscar-nominated movies you’ll actually want to watch again Today 12:56 PM
- Viral graphic shows the moment Apple became the top brand Today 12:27 PM
- Jake Paul calls out KSI for a YouTube boxing match Today 11:31 AM
- This elementary school made students play ‘runaway slave’ Today 11:20 AM
- ‘Captain Marvel’ is already a box office hit Today 11:06 AM
- This ‘buff bunny vs. small bunny’ meme is here for when you’re feeling inferior Today 10:53 AM
- Ocasio-Cortez slams trolls who come at her with ‘weak’ memes Today 10:52 AM
- YouTube just made it awfully easy to harass creators Today 10:16 AM
- Report: Trump the only 2020 contender who won’t rule out using stolen data Today 9:01 AM
- House Republicans offer bipartisan net neutrality bill—but there’s a catch Today 8:30 AM
- This Loki meme is the new way to play dumb Today 7:30 AM
Steam accounts were vulnerable to serious password-reset bug for 4 days
It wasn’t a hack, but it was just as bad.
Video-game streaming service Steam has been vulnerable to a serious password exploitation technique since at least July 21, and if not for five-day bans on password changes, plenty of Steam users could have been in big trouble.
The method for gaining unauthorized access to Steam accounts barely qualified as a hack. Password reset requests generate an email to the address of the Steam user in question. That email includes a code that must be entered for the reset process to proceed. But the password reset bug skipped the code phase and allowed a reset without any verification.
In other words, if someone knew your Steam account name—say, if you streamed your games on Twitch and your login window was visible—they could access your account, change your password, and effectively lock you out.
YouTuber Elm Hoe demonstrated the process in a video uploaded on Saturday. He also reported in the comments that, after releasing the video, “around 2000” people attempted to use the method to access his account.
Elm Hoe also reported that the Steam account vulnerability was patched ten minutes after he posted the video.
Steam automatically applies a five-day ban on trading items following a password reset and a seven-day ban on trading items when a Steam account is accessed from a new IP address. These measures should have protected anyone whose account was compromised using this bug.
Based on reports from users who were locked out of their accounts due to the bug, Valve apparently did not alert Steam users to the problem immediately after discovering it.
In fact, in a statement issued to Kotaku, Valve said that it only discovered the password reset bug on July 25 and that the problem could have affected accounts from July 21 through July 25.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or [that] may have otherwise been affected,” Valve said in the statement. “Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.”
Valve also said that while hackers could have changed account passwords by exploiting the bug, no hacker would have been been able to see an account’s original password, and that if Steam’s two-factor authentication, Steam Guard, were activated, any account accessed through the bug would still have been protected from unauthorized logins.
Illustration by Jason Reed
Dennis Scimeca was the Daily Dot's gaming reporter until 2016. He loves first-person shooters, role-playing games, and massively multiplayer online games. His work has appeared in Salon, NPR, Ars Technica, Kotaku, Polygon, Gamasutra, GamesBeat, Paste, and Mic.