Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Steam Bug Allowed Password Resets Without Confirmation 62

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.
This discussion has been archived. No new comments can be posted.

Steam Bug Allowed Password Resets Without Confirmation

Comments Filter:
  • by Anonymous Coward on Monday July 27, 2015 @09:29AM (#50189591)

    That's pretty funny considering the NIGHTMARE I went through getting my steam account reset as the email account I used to register (DOH!) was a previous work email that is no longer active, so sending me an email asking if I want to change my email is pointless. And now I find out that if I had have waited, it wasn't even verifying the code?

    FFS

  • by gweihir ( 88907 ) on Monday July 27, 2015 @09:31AM (#50189627)

    Then testing either sucks completely or ignores security functionality. This really is an absolute basic thing to test, just as testing that giving a wrong password does not give you access. The state of practical software engineering seems to still be abysmal, even after this problem has been known for a few decades. It is high time to legally bar amateurs from doing software that has any security functionality that protects customer assets and data.

    • by Bengie ( 1121981 ) on Monday July 27, 2015 @09:54AM (#50189869)
      Obviously they don't unit test their failure cases, only their success cases. I've programmed many security APIs for stuff around validation and authentication, and there are many many more failure cases, but you need to test them all. My general rule of thumb is to unit test all edge cases I can think of.

      The only thing more important than something working how I want it is for it to fail how I want it.
      • I called to get support for software I was using. After explaining the problem the support person said they were confused and asked me to elaborate. I said the x was no longer working and I had tried a, b, & c to fix it. The tech was like our product doesn't do x! And I was like well I've been using it to do x for months. It seems a feature I had been using for months turned out to be a bug and gotten fixed in the newest release.
        • by Bengie ( 1121981 )
          I can't say one way or the other for whatever you bug was, I like to do validation as much as possible in my code until there is a valid performance issue. Several times in the past few years I've had outside developers start using my code only to have their front-ends blow up with some helpful error messages. They would complain that my backend code was causing their frontend code to fail, but I explained that they were making undefined calls and my backend code was just making sure calls were being used i
      • by gweihir ( 88907 )

        Indeed. Incidentally, a professional penetration-test does exactly that.

    • by Anonymous Coward

      Valve doesn't have testers. They literally have zero testers. Developers are supposed to test their own code but many of the teams have zero automated tests. The 'contract' with the customers is basically that will Valve will ship cool stuff and the customers will forgive their mistakes.

      This contract works okay for the games, mostly, but falls down pretty hard for Steam. Steam does have tests, but not really enough.

      TL;DR Many Valve developers have a shocking disregard for code quality and failures like this

  • Continuous Deployment is so awesome.
  • by Anonymous Coward

    I got one of the password reset emails during this "attack". The email you receive specifically states:
    If you are not trying to reset your Steam login credentials, please ignore this email. It is possible that another user entered their login information incorrectly.

    Yep, if you didn't try to reset your password, ignore the fact that you got the password reset email.

    Lucky me, apparently I enabled Steam Guard back in 2013.

    • by Bengie ( 1121981 )
      I had a similar thing a month ago. I got an email that stated I got a password reset request. Just to test things, I logged out of Steam and logged back in. It said someone else from another IP "logged in" to my account, that was after I entered my original password. That left me confused. How could someone log in if my password was the same. I saw a reset request, but I never got an email that my password got changed.

      I decided to change my password, and just to test things out I issues a password reset i
  • ....stop complaining about these hidden features and start thanking the developers for making it so easy for $random_hacker to ruin years of work.

    It's funny, though, because resetting the password on a STEAM account the way you're supposed to can be a total clusterfuck that will leave you cursing for days, if not weeks. Ask me how I know.
  • > The problem was that Steam wasn't actually checking the codes sent via email.

    Really, Steam? Really? You really, truly didn't even bother to check the code you sent as "confirmation"? The code that is the raison d'être for sending the code in the first place?

    This is the kind of mistake I'd expect from a newbie who's still getting the hang of "Hello, World!", not from a multi-million dollar team of professional developers.
    • by ledow ( 319597 )

      I think it's more of a side-issue.

      If there was a code in the box, it checked it. And refused incorrect codes.

      But nobody tested it when there wasn't a code in the box.

      Still pathetic, but a little less so.

      • by Bengie ( 1121981 )
        The fact that the front end logic implements the business logic that handles password reset is a bad practice. The front end should call an internal API that has a signature like this "bool TryPasswordReset(string username, string resetCode, out userObject user)". If unccessfuly user is null, but if the try is successful, then user is a valid user object that can be passed into the change password API that looks like this "bool TryChangePasswordWithReset(UserObject user, string newPassword, string resetCode
      • If there was a code in the box, it checked it. And refused incorrect codes.

        But nobody tested it when there wasn't a code in the box.

        In what world is (null) not an invalid code? What color is the sky there?

        • by ledow ( 319597 )

          You're missing the point (though the practical implications are the same).

          The check on whether the code was valid was only run if the user typed a code into the box. Typing in random letters wouldn't validate. Typing in a valid code would.

          It was an oversight that the checks existed but never actually took place in the case of null, not that they were not capable of validating codes.

          As such, rather than just "Let's make up random codes and then ignore them and validate anything", the thought process was "L

  • by RogueyWon ( 735973 ) on Monday July 27, 2015 @02:48PM (#50192429) Journal

    Microsoft's Xbox Live system had something similar a few years ago. In that case, the "bug" was actually a flaw in their online and phone support protocols and is pretty well documented here.

    This was used to compromise a large number of accounts in 2011 and 2012, with the compromised accounts generally being used to make tradeable FIFA DLC purchases, allowing Xbox Live purchases to be laundered back into real cash.

    I got stung by it myself, which utterly shocked me as my XBL password was a strong password that had only ever been entered into my 360 console - so even if my PC were compromised (and I was pretty sure it wasn't), the password certainly hadn't been extracted via a keylogger. MS were very prompt in responding and gave the impression that they were dealing with a lot of these cases. They refunded the £50 that the scumbag had spent and gave me 3 months free XBL Gold subscription as well, which seemed odd given I was still convinced the slip-up must have been on my end.

    Wasn't until I saw that Kotaku article a few months later that I realised what had happened. The irony is that this was going on at the same time as the Sony PSN breach and, unlike the PSN breach, it resulted in accounts actually being compromised and fraudulent purchases being made. But as it was a steady drip-drip-drip of compromised accounts rather than an eye-catching big-bang "hack", the mainstream media never picked up on it.

  • "Dear Valve: Please go to http://ka.je/ [ka.je] to see a solution to your authentication problem. The Kaje Picture Password SAAS removes all passwords from your website, eliminates transmission of passwords across the net - they are converted to an encrypted hash in the browser - and prevents phishing attacks. The Kaje SAAS never knows anything about the user, so there is no way (short of hacking two different operating systems run by two different companies on completely separate networks, at least one of which

Fast, cheap, good: pick two.

Working...