Valve patches security hole that enabled takeover of Steam accounts
Attacker could steal account with nothing but a username.
http://arstechnica.com/gaming/2015/07/v ... -accounts/
Valve has patched a bug in its Steam system that let an attacker easily take over an arbitrary account using nothing but the account's username.
The hijacking exploit took advantage of a hole in Steam's password recovery feature, which sends a recovery code to the registered e-mail address associated with the account. That e-mailed code needs to be entered on a form through the Steam website, but an attacker could simply skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog, as demonstrated in this video.
In a statement to Kotaku, Valve said it quickly fixed the bug when made aware of it on Saturday, July 25 but that "a subset of Steam accounts" could have been affected since July 21. It's hard to know precisely how often the attack was used in that time, but a number of prominent Counter-Strike: GO streamers and others with well-known Steam usernames seem to have been affected.
Valve says accounts that have seen "suspicious password changes" are being contacted individually via e-mail to get their accounts straightened out. The Steam store was also down for a few hours this morning, though it's not clear if that was directly related to this bug or the fix.
This is the biggest public vulnerability for Steam since 2011, when Valve confirmed that hackers had compromised a database containing Steam usernames and encrypted passwords and credit card information.
Valve security hole that enabled takeover of Steam account
- Boss Llama
- Site Admin
- Posts: 10153
- Joined: Mon Mar 24, 2008 12:45 pm
-
Games Played
Ville Awards
Re: Valve security hole that enabled takeover of Steam accou
That's such a bad one, it's almost funny. Not funny ha-ha of course, just... /facepalm.
Reminds me of an article I read in a trade journal about an encryption and network security competition between teams from the computer security departments of the various military academies and intel training programs. The goal was to hold out for 24 hours against a team of infiltrators, and they had a couple months to set up their networks and harden them in advance. Once the attacks began, one team lasted approximately 15 seconds, because they made their root password "password."
Reminds me of an article I read in a trade journal about an encryption and network security competition between teams from the computer security departments of the various military academies and intel training programs. The goal was to hold out for 24 hours against a team of infiltrators, and they had a couple months to set up their networks and harden them in advance. Once the attacks began, one team lasted approximately 15 seconds, because they made their root password "password."
-Boss Llama
Who is online
Users browsing this forum: No registered users and 49 guests