Over the weekend, game publisher Valve patched a vulnerability that let user accounts have their passwords reset without proper validation.
UK gamer Elm Hoe demonstrated the simple attack in this Youtube Video.
In case you don't have time to watch it, the coding error was simplicity in itself. After the usual “forgot password” preliminaries, a user is supposed to get an e-mail with a reset code, and use that code to take them to the “new password” page.Only: as Hoe showed, the server wasn't validating the codes. If he left the “enter the code” field empty, he could click through to the “new password” page.
Since users can easily see the userid of other players, it was trivial to hijack any other users account.
As he points out, now [that] Valve is aware of the issue, anyone trying the hijack would be risking a permanent ban.
(Score: 4, Insightful) by Flyingmoose on Monday July 27 2015, @09:45PM
"anyone trying the hijack would be risking a permanent ban"
How would they know who was trying it? It could be anyone, even someone who doesn't have a Valve account to begin with. Or you could do it from a WiFi or public computer.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @02:05AM
They are a gaming company. All they know is threats of temporary or permanent bans as that is the only power they hold.
(Score: 3, Touché) by davester666 on Tuesday July 28 2015, @07:54AM
Everybody knows that an IPv4 address uniquely an individual. How else could the RIAA and MPAA go around suing people for downloading content?
(Score: 2) by pogostix on Monday July 27 2015, @11:26PM
don't worry guys. I just tested SN and we seem to be secure.
Sorry about the password reset EF ;)
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @12:08AM
Surrounding Stupid Service Shenanigans, Shitheads Steam.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @12:28AM
How is this for a headline
Steam Suffers Senseless Stability Shortcoming letting Someone Stealthily Switch Secrete passwords to Snatch and Steal Some Sucker's Stupid [Cyber] Stuff.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @12:35AM
"anyone trying the hijack would be risking a permanent ban."
Steam sets stealing sociopaths straight.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @03:46PM
He could. Thankfully, he didn't.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @02:03AM
Expect to get fucked.
(Score: 3, Funny) by VortexCortex on Tuesday July 28 2015, @03:58AM
Welcome to cloud city:
I am altering the password, pray I don't alter it any further.
(Score: 2) by WizardFusion on Tuesday July 28 2015, @10:57AM
You are all missing the important bit...
It claimed its Steam Guard option, if used, would protect users against the bug.
If anyone is using Steam without the Steam Guard enabled then they deserve what they get. The function is there, for free, for everyone to help protect their account.
I have no sympathy for people that loose their account/data/games/etc when they don't use the tools provided to them.