back to article Gamers Steaming over dumb Valve password vuln

Over the weekend, game publisher Valve patched a vulnerability that let user accounts have their passwords reset without proper validation. UK gamer Elm Hoe demonstrated the simple attack in the YouTube video below. Youtube Video In case you don't have time to watch it, the coding error was simplicity in itself. After the …

  1. msknight

    Can't get on.

    The Steampowered web site is returning... "An error occurred while processing your request."

    Hmmm..... I guess it's getting hammered by everyone trying to check their logons.

    I did actually get a steam password reset e-mail to one of my steam accounts, but it went on fine, so I guess I was lucky. I'm also not a high profile gamer, but if I can't get on to the web site, I can't check my creds.

    1. Kraggy

      Re: Can't get on.

      It seems a widespread domain outage, the forums are down as well as the Store, so it maybe more than just their account system under strain.

      1. Pascal Monett Silver badge

        Having no issues with the Steam client

        Probably means that the web Store is not on the same framework.

  2. Khaptain Silver badge

    "As he points out, now Valve is aware of the issue, anyone trying the hijack would be risking a permanent ban."

    The hackers must be quaking in their boots... ( and not Quake 4, quaking)

  3. Paul Shirley

    Steam Guard is a PIA

    Ummmm, almost justifies the pain of Steam Guard and it's complete inability to remember I've logged in from the same machine+browser as little as a few hours earlier.

    Almost. I seriously doubt it would even slow down an attacker.

    1. poopypants

      Re: Steam Guard is a PIA

      That's odd. I've been using Steam Guard for over a year and it very rarely asks me to type in an authentication number. In fact I can't recall the last time it did. Same with Google. Still, I'm sure the gamble of not having two factor authentication gives you a little thrill of excitement, so there is that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Steam Guard is a PIA

        The steam client retains account details however logging in via a browser that clears cookies etc means repeat authentification, the same as logging in on a new machine.

        It would be interesting to know how long this hole has been present as steam has been holding people responcible for the action of "hacked" accounts and not removing VAC bans when owner regains control

      2. Triggerfish

        Re: Steam Guard is a PIA

        Yes it behaves itself with me as well forgot I had it on. Dunno why but steam seems to be really well behaved with most people/ installs but if you are one who gets problems its a plague of them.

    2. Meerkatjie

      Re: Steam Guard is a PIA

      I had the same issue - every time I logged in I had to enter the steam guard code. Since I don't leave my password in or leave steam running constantly I was having to do this 2-3 times each day. A nice 'remember this machine for a week' would have been good.

      1. Anonymous Coward
        Anonymous Coward

        Re: Steam Guard is a PIA

        WTF is 'steam guard' ? I've been a Steam subscriber ever since Steam went live, and I don't ever remember Valve telling me about this, whatever it is.

        Its quite possible that I blinked and missed it or was asleep the day it was announced, but surely an account protection mechanism is something they would bring to your attention from time to time ?

    3. Pascal Monett Silver badge

      I find that Steam Guard activates itself every time I log on from another computer.

      That is something I understand I don't really mind.

      Compared to EA Games or Orange, Steam is a dream to work with.

  4. Anonymous Coward
    Anonymous Coward

    "In case you don't have time to watch it" ...

    ... or in my case you're inside the great corporate firewall where the standard el-reg cop-out link to yoochoob is blocked, and Flash in the browser is also disabled...

    1. Anonymous Coward

      ... or in my case you're inside the great corporate firewall where the standard el-reg cop-out link to yoochoob is blocked, and Flash in the browser is also disabled...

      Hell, I don't need a corporate firewall to do that. I do it to myself!

  5. adam payne

    The code doesn't get validated and it just lets you straight through, that is priceless.

    I wonder how long this hole has been there.

    1. Brewster's Angle Grinder Silver badge

      It does make me feel better about the critical bug I've just uncovered in my code. It takes 700 words to explain what's gone wrong.

  6. Vince Lewis 1

    thanks for the heads up VALVe

    I'm on the Steam forum every day and I read sbout it here.

    Mind you on VALVe 's 100 thing to do list, customer service is somewhere in the low thousands.

  7. Anonymous Coward
    Anonymous Coward

    I do worry about stuff like this. While I'm not a "prominent" gamer, I do have a valuable account at ~1000 games. I keep Steam Guard enabled because it's really not that much of a bugbear, though I don't use their new two-factor authentication doodad on my phone, mainly because they decided not to roll with the existing standards.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like