Slashdot Mirror

← Back to Stories (view on slashdot.org)

Steam Bug Allowed Password Resets Without Confirmation

Posted by Soulskill on from the users-rather-steamed dept.

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.

1 of 62 comments (clear)

  1. Re:That's funny by Anonymous Coward · · Score: 0, Flamebait

    what dumbass uses a work email address for personal accounts? You're a fuckwit.

    -CM