Over the weekend, game publisher Valve patched a vulnerability that let user accounts have their passwords reset without proper validation.
UK gamer Elm Hoe demonstrated the simple attack in this Youtube Video.
In case you don't have time to watch it, the coding error was simplicity in itself. After the usual “forgot password” preliminaries, a user is supposed to get an e-mail with a reset code, and use that code to take them to the “new password” page.Only: as Hoe showed, the server wasn't validating the codes. If he left the “enter the code” field empty, he could click through to the “new password” page.
Since users can easily see the userid of other players, it was trivial to hijack any other users account.
As he points out, now [that] Valve is aware of the issue, anyone trying the hijack would be risking a permanent ban.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @12:28AM
How is this for a headline
Steam Suffers Senseless Stability Shortcoming letting Someone Stealthily Switch Secrete passwords to Snatch and Steal Some Sucker's Stupid [Cyber] Stuff.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @12:35AM
"anyone trying the hijack would be risking a permanent ban."
Steam sets stealing sociopaths straight.