Steam security flaw allowed account hijacking

Until recently, a flaw in Steam’s account security system allowed users to take over any account they wanted. The problem lay with a major flaw in Valve’s password recovery system.

YouTube user Elm Hoe made a video of how the exploit works. With a password reset, Valve emails a code to the owner of the account. The user must then enter that code into Steam. However, if an attacker leaves that field empty and simply presses submit, the option is still given to set a new password as if the attacker had actually entered the email code. That way, any account that didn’t have Steam Guard enabled could be taken over. Steam Guard is a service where Steam asks for an extra verification code with every login. Valve sends that code by email.

However, no permanent damage could be done with the method; for new devices, they cannot trade for a number of days, for example. Valve has since fixed the security issue. Accounts that have had ‘suspicious password activity’ have been automatically given a password reset by the company. Valve told Kotaku that it became aware of the bug on July 25 and that the problem has since been fixed. It is unknown how long this hole in security has been there.