Holy Holes, Gaben! Steam Account Hijack Exploit Fixed

Welp I guess that's a Steam logo.

Valve are a taciturn company, which is fair enough. Mercy knows if I received ten thousand e-mails and tweets about Half-Life 3 every day, I’d dedicate my life to obliterating the written word. At times, though, they really should break the silence. They should shout and yell and scream and let everyone know what’s going on. Say, if for five days a security hole had let ne’er-do-wells easily take over people’s accounts. Nope.

Valve have closed the hole, but Steam’s website – including the Store – is down now and I have no idea whether that’s connected, because they aren’t announcing anything about this. Speak up, son.

The exploit had let folks take over accounts whose username they knew by abusing the password recovery feature. By saying they’d forgotten the password, they could select the option to send a recovery code to the account’s registered e-mail address – but then skip that step by entering nothing where the code should go. They’d then have access to the account, and could change the password to something new. If you knew an account’s name, you could take over it without access to the owner’s e-mail or anything. It was a pretty gaping security hole.

Here’s someone demonstrating how simple the exploit was:

Valve being Valve, they’ve fixed this but not announced anything about it. Folks who lost their accounts were left digging around forums and subreddits and sites trying to find out what was going on. However, Valve did at least speak to Kotaku about it yesterday, saying that they learned about the hole on Saturday, July 25th and that it had been exploited since last Tuesday, July 21st. Valve said:

“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

“Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

“We apologize for any inconvenience.”

There’s still no official announcement on Steam, the Steam Twitter account, Steam Support’s Twitter, the Steam Facebook page, and so on. I don’t know what’s going on with the Steam Store either, which is annoying because I really want to buy and play Cradle.

75 Comments

  1. Cantisque says:

    Valve are terrible when it comes to keeping their customers informed. I still suspect this has something to do with their unorthodox corporate structure.

    If you only hire jacks-of-all-trade developers and let them do what they want, chances are they’re going to avoid things like customer support.

    I certainly hope they get voted as worst company next time rather than EA in whatever that vote was (forgot), it might send a wakeup call that they can’t just rely on automation all the time.

    • Cinek says:

      Steam gets too much humping to even get nominated for the worst company. All these circlejerks around Valve, like PC Master Race, are taking care of that.

    • holymadman says:

      I also hope Valve gets some wake up call because they have been and are still terrible in some segments. I stopped buying things from steam, only bought few things that were under 5$ and have no intentions to buy any more AAA games. I bought Witcher 3 on GoG for example and will continue to avoid Steam like a plague until they get back on the road. People can say what they want but for me Origin is getting slowly but surely better than steam, been using it for few years now and didn’t have any problems, Gametime is a big plus.

      What mostly annoys me is the trash games they let in trough Steam Greenlight, one of the most recent is Jim Sterling-s video about 3 minecraft/dayz mash ups clones.

      • Premium User Badge

        Don Reba says:

        What mostly annoys me is the trash games they let in trough Steam Greenlight, one of the most recent is Jim Sterling-s video about 3 minecraft/dayz mash ups clones.

        How does that even affect you? If it makes it more difficult to find new games through Steam, then shunning Steam sure won’t help.

      • Dawngreeter says:

        It certainly takes a lot of willpower to avoid Steam like the plague and only occasionally buy titles on sale.

        • Premium User Badge

          Don Reba says:

          I say, he does must not be avoiding the plague nearly hard enough!

    • LionsPhil says:

      Perhaps they ought to hire some goddamn (non-game) testers, too. This is a truly embarrassing cock-up to get all the way into production.

      • Devan says:

        I’ll say. I would not want to be the guy who built the UI for that feature. He must be spending the next month avoiding eye contact with people in the halls.
        Hopefully this leads to some reform in Valve in regards to security auditing and penetration testing. They said the issue was first exploited on July 21st, but that feature has been there for a very long time. I wonder if the bug has been there all along or whether it was introduced with a more recent update.

    • Solidstate89 says:

      Why would the game developers have anything to do with password recovery schemes, databases, etc? They would have nothing to do with either public announcements or fixing them.

      This is an utter failure on Valve’s part, but I have no idea what your comment about their development practices has to do with literally any of this.

      • bills6693 says:

        Development isn’t just game development, its software development in general.

        They must have people who’s job is software development of its steam platform – and their development process is pretty unorthodox. I believe there was an article elsewhere on RPS (probably from a year or more ago) talking about how the developers of steam work, and it was pretty unique.

      • Cantisque says:

        At no point did I mention game developers.

        Also, the structure of Valve is basically that all employees are equal and free to work on whatever project or experiment they want.

        Think of it like a supermarket, except they only hire managers. You can bet the cashier chairs will sit empty.

    • Premium User Badge

      Phasma Felis says:

      I hope the “Worst Company” goes to one of those companies that is actually, y’know, killing people or stealing their homes and shit, instead of being hijacked by a bunch of over-entitled fuckups who think that the quality of their entertainment software is a bigger issue than human lives.

  2. All is Well says:

    To be fair though, if you have a security vulnerability that a) pretty much anyone can use, and b) users can’t actually protect themselves from, if I’ve understood things correctly (well, save from not telling anyone else what their username is), wouldn’t it be sort of sensible to keep quiet about it?

    • PancakeWizard says:

      That was my thinking. Wont stop the Valve-hate brigade though. They’ll take anything they can get. “Remember that time Valve fucked up? ABANDON SHIP DRM OFFLINE MODE GET GOG I LOVE GOG, GOG GOG GOG!”

      I think that just about covers it.

      • Premium User Badge

        Harlander says:

        So we’ve had “people love Steam uncritically” and “people hate Steam uncritically”, is that a full set or do we need something else?

        • Sarfrin says:

          I’m indifferent. Does that cover it?

          • gunny1993 says:

            Only if you write a list of pros and cons then set fire to it to show your indifference

          • Jeroen D Stout says:

            I fee your indifference is really uncritical.

        • arisian says:

          What about “Ambivalent”? I mean, I really like the idea of a digital distribution platform that actually works like a proper package management system (i.e. auto-patching, cloud saves, etc.), and they’ve been way out front of the other platforms in terms of pushing cross-platform support (especially Linux). But at the same time, I find their pseudo-monopolistic market share to be very concerning, and the fact that (most) games use the platform as a form of DRM (i.e. there are very few games that can be run without having Steam running in the background) makes me uncomfortable about what will happen if/when the platform ever stops being actively supported (which statistics say will probably happen, sooner or later).

          So, yeah, I think “ambivalent” is an important addition, and not at all the same as “indifferent” :)

      • Sarfrin says:

        Oh, come on. You have to admit it’s a pretty major fuck up and it’s not like no-one will ever hear about it if Valve don’t say anything. A public statement would be in order.

        • Rockman says:

          Well it is a fuck up but I wouldn’t call it major. There IS a way to defend against this – Steam Guard. Anyone with steam guard might have ended up with a changed password and that’s it. If you don’t have it enabled….. Why not?

          • Cinek says:

            If that’s not a major fuck up – then I don’t know what would be. And to make it even more amusing – I heard people using the same line during the data breach scandal.

          • Sarfrin says:

            You wouldn’t call giving anyone access to an account just by putting nothing in a password recovery code box major? I guess it’s not Steam sending a man round to slaughter your first born, but I wouldn’t say it’s trivial as these things go.

          • mike2R says:

            I’m a Steam fanboy, but on a scale of 1 to major fuckup, this is clearly a major fuckup. A particularly adventurous forum spambot could probably have managed to execute this entirely by accident.

        • PancakeWizard says:

          Yes, it’s a major fuck up. But a) it won’t stop me (or likely anyone) using Steam and b) the schadenfraude needs heading off.

          minor c) who the fuck turns off Steam Guard (which is on by default)?

        • Shadow says:

          It’s quite an important fuck-up, but if my information’s accurate, it’s nothing devastating for the user as it doesn’t mean more than a temporary (likely brief for a regular Steam user) account loss. It’s a pretty big deal someone might change your password and access your account, but the hijackers wouldn’t be able to change the e-mail address without access to that as well. Meaning no permanent loss.

          It’s only a matter of resetting your password as soon as you detect something fishy. And enabling Steam Guard, which is on by default and still boggles the mind why someone would disable that. The legitimate reasons for that sound quite far-fetched: if your account is linked to a non-existent address, a) why haven’t you tried to remedy that getting in touch with support? It’s a major risk in any case, and b) why did you register a sensitive account to an address you could well lose in the future (i.e. ISP’s)?

          So it looks like it’s an exploit which would only affect the deliberately insecure accounts, and only temporarily, at that. Still a major hole, but nothing to remotely drop Steam about. That’d be like abandoning a country purely because several people got robbed in a different state.

    • suibhne says:

      Thing is, users could protect themselves quite easily, using Steam Guard – which Valve introduced several years ago. Everyone should always have two-factor enabled everywhere it’s possible, and Steam supports this quite nicely.

      At the very least, Valve could’ve told everyone to enable it. More strongly, they might have forced it on (tho I know it wouldn’t work for everyone).

      • mattevansc3 says:

        Or they could have followed the rest of the industry and enabled it by default.

        • Orillion says:

          Pretty sure they do. I know I’ve never enabled it, but it’s always been on as long as it’s been around for me.

        • bills6693 says:

          It is enabled by default. But some people choose to turn it off for reasons unknown (they don’t want to have to take the 20 seconds to open their e-mails, find the e-mail, and copy-paste the code into the box?).

          Actually there probably are pretty reasonable reasons someone would turn it off but it’d be pretty darn rare – if you use steam on a system where for some reason you can’t access your e-mails, or if your e-mail address steam is registered to no longer exists (which I believe you can’t recover because you can’t change your e-mail address for steam without responding to an e-mail to the old address, which is impossible if it no longer exists, or thats how it was several years ago anyway, from personal experience. Maybe steam support can help now but they refused to back then).

          Anyway – some people have turned steam guard off. Steam could re-enable it on all their accounts remotely, but this could mess up access for some people who turned it off for legitimate reasons like I mentioned above and I’m sure there are other real reasons people can’t use it. But I imagine it could have saved most of the accounts hacked – although how many accounts that is we are not sure.

      • All is Well says:

        You’re right. It slipped my mind what Steam Guard was for a moment and I commented before I remembered, but yeah it’s an extremely easy way to protect yourself and is even on by default (I think?), which pretty much invalidates point b) and thus my entire comment.

    • Solidstate89 says:

      Security by Obscurity is never the answer. They should have sent an e-mail out, a major press release, twitted, facbooked – whatever, however that this was a vulnerability and if you don’t already have Steam Guard enabled to go enable it now; at least until this vulnerability was fixed. The fact this was an open vulnerability for 5 days, and they didn’t say anything about it, is completely inexcusable.

      • Xocrates says:

        This is a double-edged sword. It both means some people would take precautions, but it would also alert others that the exploit exists meaning an increase on people taking advantage on it.

        Without knowing how widespread this was, there’s no way of knowing whether keeping quiet was the right call or not.

      • Xocrates says:

        Also, according to the article, while the vulnerability was open for 5 days, Valve was aware of it for 1 before fixing it and telling people about it.

    • mattevansc3 says:

      No it would not. You do not need to tell users how the exploit works. You merely tell the users that an exploit exists, to check their accounts for suspicious activity and setup SteamGuard for extra security.

      This accepted practice throughout the IT industry.

    • Premium User Badge

      Don Reba says:

      The responsible thing to do would have been to shut the community service down immediately upon learning about the vulnerability and make a public announcement.

    • fish99 says:

      Agree. Announcing to the world that every account was now easily hackable without having a fix in place would have been a disaster.

    • Premium User Badge

      Phasma Felis says:

      After you’ve fixed the bug? No, at that point keeping silent looks like an attempted cover-up.

      If you mean before you’ve fixed it, it’s a moot point with a bug that is simultaneously so simple and so catastrophic, because there shouldn’t be enough time between discovering and fixing it to type up a press release.

  3. Lars Westergren says:

    Let’s see if the spam filter eats this.

    for x=0, x < input.length, x++ {
    if input[x] != token[x] return false
    }
    return true

    There are lots of fun ways to screw up password reset schemes as a programmer though.
    link to news.ycombinator.com

    • LionsPhil says:

      If you’re writing your own string comparison, you’ve already failed, even if you get it exactly right.

      (I would make an exception for crypto libraries where timing attacks matter over early-return performance, but OpenSSL at least is in a permanent state of fail anyway.)

    • Person of Interest says:

      That’s a fairly contrived example. Let me give you a better one. I fixed a bug similar to this last month in PHP, on a high-traffic public website. The original, bugged code was:


      if (isset($inputToken) && $inputToken == $secretToken) { /* token is genuine */

      Consider what would happen if $secretToken was null. Or if $inputToken was not a string, but a boolean or integer. Or if $secretToken was never null, and $inputToken was always a string, but $secretToken was in the form of a hexadecimal string (PHP’s == can do some surprising things). Fortunately some other code coincidentally prevented its exploitation.

  4. Sarfrin says:

    Seriously? A security code check that accepts a blank field as a match? Who on earth coded that???

    • bills6693 says:

      Stab in the dark but maybe a stupid error where they said ‘don’t allow you to progress if wrong code entered’ meaning you can progress if that condition isn’t met – i.e. you DON’T enter a WRONG code. And no code isn’t a wrong code?

      • Superpat says:

        How would that work though?
        if x = “hash” and y = “” then the response is always false.
        y could be equal to 0 or false depending on the language, but I dont see it happening that way

        • Lars Westergren says:

          I show one way you can write an incorrect implementation above.

    • arisian says:

      The issue is probably that “check to see if two strings match” is likely (in languages like C) to cause your program to crash if one of the strings doesn’t exist (we could argue that you shouldn’t be using a language like this for a program like this, but honestly that kind of argument only flies in academia where you’re totally insulated from the real world). So before you do the compare, first you have to check to see if both strings exist, and if one doesn’t you need to do . So the bug is likely that the wasn’t what it should have been, but the fact that the check took place is not at all surprising.

      • Lars Westergren says:

        “Avoiding non-safe languages” is something I can guarantee you is taken seriously outside of academia, at major organizations.

        • jrodman says:

          In my experience, it’s considered, but often not prioritized. Your milage may vary by organizational competency and field of course.

      • joa says:

        You really think the backend for the account recovery is written in C anyway? Don’t be absurd. Even in safe languages, there are plenty of mistakes to make.

        • Premium User Badge

          Don Reba says:

          The community backend is written in PHP, which is worse than C.

  5. melnificent says:

    Luckily my account name and public name are completely different. My paranoia paid off.

  6. Monggerel says:

    hahahaha wow gg wp

  7. Hunchback says:

    Came here looking for a comment by an user called GABEN or some such, seen how indie game devs usually pop on RPS chat to talk about their projects etc…

    Oh wait…

  8. GAmbrose says:

    It’s pretty bad.

    By why wouldn’t you have Steam guard enabled?

    • Hunchback says:

      Agreed, this must be the most ridiculous hack ever, or at least the worst i’ve ever heard of. But then, Steam Guard exists and i suppose it can protect you from every such stupidity.
      Not really sure how people can hack two-way security, it must be doable, but the prize must be really damn good for them to waste time so… why not use Steam Guard?

      • mattevansc3 says:

        Because you don’t need to be computer literate to install Steam or play games via Steam.

        Just think how many Steam accounts were created just to play Skyrim? Its an automated process they don’t need to pay attention too and don’t really care much for.

        This is why most of the major IT based companies have Two Stage Authentication enabled by default. If they didn’t make their customers do it, a large proportion wouldn’t.

        • bills6693 says:

          I believe steam guard IS enabled by default? Correct me if I’m wrong, please.

          So then the question really is, who turns off steam guard? Either very lazy people, or probably a small number of people with real reasons to – such as the e-mail address they registered steam to has been lost.

          • Cinek says:

            Blaming a victim? Really?

          • bills6693 says:

            Its not the victim’s fault that the security breach occured, no. Such security breaches are bad and they are the fault of valve, yes. But there are precautions one can take against it that should be taken.

            If you didn’t lock your house and someone broke into it, is it your fault? No, its the person who burgled you. But you SHOULD have locked your house to guard against this.

            If you left your keys in your car, and it gets stolen, is it your fault? No. But you could have taken a precaution against it.

            And its not right that people go round stealing cars or burgling houses, and they are the criminals, but its also your responsibility to take reasonable precaution, and while it may not be the ideal world to live in, society supports this – your insurance will not pay out if you left your house unlocked, for example. And if there was a news article going ‘Family home burgled while they left it unlocked on a day out’, you know exactly what the comments would be. The family isn’t to blame for crime but they could have taken precautions that they didn’t.

            So while it’s not the fault of victims who had their steam accounts hijacked because of Valve’s fuck up, and the people who are to blame are the hackers, not the victims, there was a reasonable precaution they could have taken against this.

      • Lars Westergren says:

        > Not really sure how people can hack two-way security

        Ways to bypass 2-factor authentication:
        Leak both components as a user. Or developers screw up security server side.

  9. gunny1993 says:

    Now, the thing to ask is where does this lie on the cock up meter, I’m thinking above even adobe a few years back with their shitty security.

  10. James says:

    On the scale of security cock-ups this isn’t quite the full Adobe but it’s almost there. I’d rate it a 9/10, would change password and facepalm again.

  11. Barberetti says:

    Nice of Valve to apologise to Kotaku’s readers. Very decent of them.

  12. bills6693 says:

    Its not the victim’s fault that the security breach occured, no. Such security breaches are bad and they are the fault of valve, yes. But there are precautions one can take against it that should be taken.

    If you didn’t lock your house and someone broke into it, is it your fault? No, its the person who burgled you. But you SHOULD have locked your house to guard against this.

    If you left your keys in your car, and it gets stolen, is it your fault? No. But you could have taken a precaution against it.

    And its not right that people go round stealing cars or burgling houses, and they are the criminals, but its also your responsibility to take reasonable precaution, and while it may not be the ideal world to live in, society supports this – your insurance will not pay out if you left your house unlocked, for example. And if there was a news article going ‘Family home burgled while they left it unlocked on a day out’, you know exactly what the comments would be. The family isn’t to blame for crime but they could have taken precautions that they didn’t.

    So while it’s not the fault of victims who had their steam accounts hijacked because of Valve’s fuck up, and the people who are to blame are the hackers, not the victims, there was a reasonable precaution they could have taken against this.

    • mewse says:

      What are you even talking about?

      The “house” (in your analogy) was locked. The users had every expectation that they had done the right thing, and were completely safe. They were not being naive, they were not ignoring “reasonable precautions”. The problem is that the locks (provided by Valve) turned out to be completely ineffective if someone inserted a blank key.

      Your “unlocked house” analogy really doesn’t work at all. The users had done the right thing; it was only Valve who screwed up.

      • bills6693 says:

        It was meant to be a reply to a comment above but it posted as a full post accidentally – and the removal of both the edit and deletion tools meant it had to stay.

  13. gotrice541 says:

    What I’m wondering is does anyone ever test these types of things. If it involves major changes to something or a security issue, no matter how small. They should have a team that tests it. I don’t care, but test everything in a week’s period before sending out the update to everyone. It seems like none of the staff members are testing their code for any “loop-holes” that could endanger people’s information as well as in-game items. It’s like the moment they get the coding “done” they just send it out.