Holy Holes, Gaben! Steam Account Hijack Exploit Fixed
Exploiting account recovery
Valve are a taciturn company, which is fair enough. Mercy knows if I received ten thousand e-mails and tweets about Half-Life 3 every day, I'd dedicate my life to obliterating the written word. At times, though, they really should break the silence. They should shout and yell and scream and let everyone know what's going on. Say, if for five days a security hole had let ne'er-do-wells easily take over people's accounts. Nope.
Valve have closed the hole, but Steam's website - including the Store - is down now and I have no idea whether that's connected, because they aren't announcing anything about this. Speak up, son.
The exploit had let folks take over accounts whose username they knew by abusing the password recovery feature. By saying they'd forgotten the password, they could select the option to send a recovery code to the account's registered e-mail address - but then skip that step by entering nothing where the code should go. They'd then have access to the account, and could change the password to something new. If you knew an account's name, you could take over it without access to the owner's e-mail or anything. It was a pretty gaping security hole.
Here's someone demonstrating how simple the exploit was:
Valve being Valve, they've fixed this but not announced anything about it. Folks who lost their accounts were left digging around forums and subreddits and sites trying to find out what was going on. However, Valve did at least speak to Kotaku about it yesterday, saying that they learned about the hole on Saturday, July 25th and that it had been exploited since last Tuesday, July 21st. Valve said:
"To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
"Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
"We apologize for any inconvenience."
There's still no official announcement on Steam, the Steam Twitter account, Steam Support's Twitter, the Steam Facebook page, and so on. I don't know what's going on with the Steam Store either, which is annoying because I really want to buy and play Cradle.