Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday July 27 2015, @09:14PM   Printer-friendly
from the but-it's-fixed-now dept.

Over the weekend, game publisher Valve patched a vulnerability that let user accounts have their passwords reset without proper validation.

UK gamer Elm Hoe demonstrated the simple attack in this Youtube Video.

In case you don't have time to watch it, the coding error was simplicity in itself. After the usual “forgot password” preliminaries, a user is supposed to get an e-mail with a reset code, and use that code to take them to the “new password” page.Only: as Hoe showed, the server wasn't validating the codes. If he left the “enter the code” field empty, he could click through to the “new password” page.

Since users can easily see the userid of other players, it was trivial to hijack any other users account.

As he points out, now [that] Valve is aware of the issue, anyone trying the hijack would be risking a permanent ban.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Flyingmoose on Monday July 27 2015, @09:45PM

    by Flyingmoose (4369) <mooseNO@SPAMflyingmoose.com> on Monday July 27 2015, @09:45PM (#214561) Homepage

    "anyone trying the hijack would be risking a permanent ban"

    How would they know who was trying it? It could be anyone, even someone who doesn't have a Valve account to begin with. Or you could do it from a WiFi or public computer.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Informative=1, Touché=1, Total=3
    Extra 'Insightful' Modifier   0  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Tuesday July 28 2015, @02:05AM

    by Anonymous Coward on Tuesday July 28 2015, @02:05AM (#214654)

    They are a gaming company. All they know is threats of temporary or permanent bans as that is the only power they hold.

  • (Score: 3, Touché) by davester666 on Tuesday July 28 2015, @07:54AM

    by davester666 (155) on Tuesday July 28 2015, @07:54AM (#214745)

    Everybody knows that an IPv4 address uniquely an individual. How else could the RIAA and MPAA go around suing people for downloading content?