Valve patches huge password reset hole that allowed anyone to hijack Steam accounts

After some Steam gamers had their accounts hacked, Valve blamed it on a 'bug,' but the vulnerability seemed more like a critical authentication pit since anyone could exploit it to hijack an account.

Steam password reset vulnerability

After losing control of their Steam accounts, some gamers and Twitch streamers were definitely steamed. Valve blamed the account takeovers on a “bug,” but the vulnerability seemed more like a critical hole – an authentication pit – since anyone could exploit it to hijack an account. Valve has patched the problem, but there is an example of Steam’s password reset issue on JSFiddle for anyone who wants to try the exploit.

When logging into the Steam client, an attacker only needed to click on “forgot password” used to “retrieve” an account. That would take the attacker to a Steam Support page for “I forgot my Steam Account name or password,” according to a video showing the exploit. An attacker could enter an account name and “search.” After finding that account name, Steam would ask “How would you like to reset your password?”

An attacker would select “email an account recovery code to” '' Steam Support would say it sent a recovery code to the email address and to enter the code received. However an attacker could leave the box for the account recovery code blank and instead hit “continue.” Steam Support would then take an attacker to the password reset page.

Valve has not made an official statement about the password reset vulnerability and that silence is nearly deafening since the security hole in Steam potentially affected millions of gamers. “Elm Hoe,” the guy explaining the Steam account hijack process in video, said Valve enacted a seven day ban on accounts accessed from a new device and a five day ban after a password change. Valve told Kotaku it knew about the “bug” on July 25 “that could have impacted the password reset process on a subset of Steam accounts during the period July 21-July 25. The bug has now been fixed.”

There are murmurings that having Steam Guard enabled did not protect accounts from being hijacked, although Valve claimed Steam Guard did protect accounts. Since several Twitch streamers had their Steam account hijacked, it makes you wonder…if a person games for living then surely he or she would have Steam Guard enabled? Gamers certainly should use Steam Guard.

Valve told Kotaku:

To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

We apologize for any inconvenience.

It might be wise for gamers to use the Steam Guard mobile authenticator, but the Android version has 25,984 1-star ratings. Yet 236,655 Android users gave the app five stars and the iOS version is rated with three and half stars.

Steam Guard mobile authenticator via Steam update news on July 18 Valve

Steam Guard mobile authenticator screen capture from Steam "update news" on July 18.

Valve made an estimated $730 million in revenue in 2014; the company made about $400 million through its digital marketplace and top three games, DOTA 2, Team Fortress 2 and Counter-Strike Global Offensive. The total Steam revenue in 2014 reached an estimated $1.5 billion.

The march toward exascale computers
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies