If you click on a link and make a purchase we may receive a small commission. Learn more.

Holy Holes, Gaben! Steam Account Hijack Exploit Fixed

Exploiting account recovery

Valve are a taciturn company, which is fair enough. Mercy knows if I received ten thousand e-mails and tweets about Half-Life 3 every day, I'd dedicate my life to obliterating the written word. At times, though, they really should break the silence. They should shout and yell and scream and let everyone know what's going on. Say, if for five days a security hole had let ne'er-do-wells easily take over people's accounts. Nope.

Valve have closed the hole, but Steam's website - including the Store - is down now and I have no idea whether that's connected, because they aren't announcing anything about this. Speak up, son.

The exploit had let folks take over accounts whose username they knew by abusing the password recovery feature. By saying they'd forgotten the password, they could select the option to send a recovery code to the account's registered e-mail address - but then skip that step by entering nothing where the code should go. They'd then have access to the account, and could change the password to something new. If you knew an account's name, you could take over it without access to the owner's e-mail or anything. It was a pretty gaping security hole.

Here's someone demonstrating how simple the exploit was:

Valve being Valve, they've fixed this but not announced anything about it. Folks who lost their accounts were left digging around forums and subreddits and sites trying to find out what was going on. However, Valve did at least speak to Kotaku about it yesterday, saying that they learned about the hole on Saturday, July 25th and that it had been exploited since last Tuesday, July 21st. Valve said:

"To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

"Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

"We apologize for any inconvenience."

There's still no official announcement on Steam, the Steam Twitter account, Steam Support's Twitter, the Steam Facebook page, and so on. I don't know what's going on with the Steam Store either, which is annoying because I really want to buy and play Cradle.

Tagged With

About the Author

Alice O'Connor avatar

Alice O'Connor

News Editor

When not writing news, Alice may be found in the sea.

Join the Rock Paper Shotgun supporter program

Sign up today and get access to more articles like these, an ad-free reading experience, free gifts, and help us create more great writing about PC games.

See more information

Comments

We love having a friendly, positive and constructive community - you lot are great - and we want to keep it like that. Our main commenting rule is "be excellent to each other". Please see our code of conduct, where you can find out what "be excellent" means. TL;DR? Respect others, think before you post, and be prepared for puns.

More News

Latest Articles

We've been talking, and we think that you should wear clothes

Total coincidence, but we sell some clothes

Rock Paper Shotgun Merch