Some Steam gamers got a nasty surprise this weekend, after a gaping vulnerability was exploited to gain access to their accounts – although thankfully the flaw is now fixed. What was truly scary is just how easy it was to leverage this exploit.
The only thing that a malicious party needed to know was the username of an account (and it's not difficult to sniff those out online), so they could request a password reset for it.
Of course, normally you need to enter a correct validation code which you receive in the linked email account to go ahead with changing the password, but the exploit was simply to leave this code field blank. With nothing entered for validation, the system then went ahead and performed the reset, as Elm Hoe, a gamer from the UK, demonstrated in a YouTube video.
As Hoe notes in the clip, it's fortunate there's a seven-day ban on trading items from a new device (and a five-day ban due to the password change), otherwise we could have seen a lot more nastiness over the weekend.
All in all, this was a pretty big fail for a big name gaming service like Steam, and it's really quite bewildering how this bug could even exist for a brief time (five days in total last week, running up to and including Saturday).
Valve issued a statement to Kotaku and said the after-exploit clean-up involved scanning through for suspicious password changes during the period the exploit was live, and resetting those passwords. If you're one of the unlucky ones, you'll get an email explaining what's happened and providing a new password, which you should then change.
You can even keep your original password should you wish, as Valve notes that the exploit didn't reveal that to the third-party intruder: “Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.”
The case for two-factor authentication across all of your important online accounts (and indeed any services that offer 2FA) grows stronger by the day…
Via The Register
Like this? Check out: Logitech unveils the G310 Atlas Dawn compact mechanical gaming keyboard