- Marvel unveiled its Phase 4 plans at San Diego Comic-Con Today 9:16 AM
- How a queer Instagram is helping fight the opioid epidemic in Appalachia Today 6:30 AM
- Philadelphia to fire 13 officers for racist, violent Facebook posts Saturday 6:12 PM
- Nick Offerman is so down to play every single role in ‘Cats’ Saturday 4:27 PM
- Woman documents how airport staff broke her wheelchair Saturday 3:04 PM
- Funeral home allegedly posted photos of woman’s dead body on social media Saturday 1:56 PM
- Alinity Divine is being investigated after throwing her cat during stream (updated) Saturday 12:04 PM
- ‘Comedians In Cars Getting Coffee’ returns with Seinfeld making a racist joke about China Saturday 10:26 AM
- YouTubers Eugenia Cooney and Shane Dawson make a joint comeback Saturday 9:06 AM
- The crushing effects of Trump’s abortion ‘gag rule’ on healthcare Saturday 8:00 AM
- How to live stream Pacquiao vs. Thurman Saturday 6:20 AM
- Review: Hulu with Live TV ensures you always have something to watch Saturday 6:00 AM
- How to live stream UFC on ESPN 4: Rafael dos Anjos vs. Leon Edwards Saturday 5:49 AM
- 2020 Democrats refuse to answer our questions about ‘Cats’ Friday 4:14 PM
- Belle Delphine’s Instagram account removed after mass reporting campaign Friday 4:08 PM
Steam accounts were vulnerable to serious password-reset bug for 4 days
It wasn’t a hack, but it was just as bad.
Video-game streaming service Steam has been vulnerable to a serious password exploitation technique since at least July 21, and if not for five-day bans on password changes, plenty of Steam users could have been in big trouble.
The method for gaining unauthorized access to Steam accounts barely qualified as a hack. Password reset requests generate an email to the address of the Steam user in question. That email includes a code that must be entered for the reset process to proceed. But the password reset bug skipped the code phase and allowed a reset without any verification.
In other words, if someone knew your Steam account name—say, if you streamed your games on Twitch and your login window was visible—they could access your account, change your password, and effectively lock you out.
YouTuber Elm Hoe demonstrated the process in a video uploaded on Saturday. He also reported in the comments that, after releasing the video, “around 2000” people attempted to use the method to access his account.
Elm Hoe also reported that the Steam account vulnerability was patched ten minutes after he posted the video.
Steam automatically applies a five-day ban on trading items following a password reset and a seven-day ban on trading items when a Steam account is accessed from a new IP address. These measures should have protected anyone whose account was compromised using this bug.
Based on reports from users who were locked out of their accounts due to the bug, Valve apparently did not alert Steam users to the problem immediately after discovering it.
In fact, in a statement issued to Kotaku, Valve said that it only discovered the password reset bug on July 25 and that the problem could have affected accounts from July 21 through July 25.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or [that] may have otherwise been affected,” Valve said in the statement. “Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.”
Valve also said that while hackers could have changed account passwords by exploiting the bug, no hacker would have been been able to see an account’s original password, and that if Steam’s two-factor authentication, Steam Guard, were activated, any account accessed through the bug would still have been protected from unauthorized logins.
Illustration by Jason Reed
Dennis Scimeca was the Daily Dot's gaming reporter until 2016. He loves first-person shooters, role-playing games, and massively multiplayer online games. His work has appeared in Salon, NPR, Ars Technica, Kotaku, Polygon, Gamasutra, GamesBeat, Paste, and Mic.