Error in the Steam security system: password recovery without entering a verification code
In the security system of the largest gaming platform Steam, developed by Valve, a serious vulnerability was discovered — on July 25, a video demonstration of the operation of the error was uploaded to YouTube. The problem is widely discussed by users of the Reddit resource.
According to the data presented in the video, an attacker can modestly Steam user account due to incorrect work of the password recovery function - the system accepted even a blank value as the correct code. As a result, the attacker was able to reset the account password.
')
To conduct a successful attack, you only needed to know the name of the user account. At the same time, the attacker could not recognize the Steam user’s email or his old password.
According to the Master Herald, Valve has already fixed a security bug, but the company has not yet provided information on how many accounts could have been compromised in this way. However, users whose accounts were compromised received a letter of the following content (thanks to Haoose for clarifying):
Despite the fact that the hole in the password recovery mechanism has already been closed, the attackers managed to break into many Steam accounts. Among the victims, even some well-known "streamers" from the Twitch resource (for example, RTZ and Resolut1on ) - you can easily find out their username on the Steam system using the "stream" of the gameplay.
According to the profile blogs dedicated to the games, users who activated the protective function of Steam Guard were not subject to attack.
According to the data presented in the video, an attacker can modestly Steam user account due to incorrect work of the password recovery function - the system accepted even a blank value as the correct code. As a result, the attacker was able to reset the account password.
')
To conduct a successful attack, you only needed to know the name of the user account. At the same time, the attacker could not recognize the Steam user’s email or his old password.
According to the Master Herald, Valve has already fixed a security bug, but the company has not yet provided information on how many accounts could have been compromised in this way. However, users whose accounts were compromised received a letter of the following content (thanks to Haoose for clarifying):
Dear Steam user,
July 25, we found an error on the Steam system, which could lead to the possibility of resetting the password on your account from July 21 to 25. Now the error is fixed.
To protect the users of the service, we reset the passwords of the accounts whose passwords were changed during the specified period. You will receive an email with your new password. After receiving the letter, it is recommended to log into your Steam-account and set a new password.
We especially note that in spite of the fact that attackers could have changed the password of your account in the specified period, they could not find out the password itself. If you have activated the Steam Guard function, your account has been protected from unauthorized access even in the event of a password reset.
Despite the fact that the hole in the password recovery mechanism has already been closed, the attackers managed to break into many Steam accounts. Among the victims, even some well-known "streamers" from the Twitch resource (for example, RTZ and Resolut1on ) - you can easily find out their username on the Steam system using the "stream" of the gameplay.
According to the profile blogs dedicated to the games, users who activated the protective function of Steam Guard were not subject to attack.
Source: https://habr.com/ru/post/263607/
All Articles