Steam Bug Allowed Password Resets Without Confirmation

Posted by Soulskill on Monday July 27, 2015 @02:22AM from the users-rather-steamed dept.

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.

1 of 62 comments (clear)

Min score:

Reason:

Sort:

Re:HL3HL3HL3 by jones_supa · 2015-07-27 02:36 · Score: 2, Informative

The Half-Life wiki has a good article called Future of the Half-Life series where you can follow the latest developments.
On March 19, Gabe Newell, when asked about Half-Life 3, replied: "The only reason we'd go back and do like a super classic kind of product is if a whole bunch of people just internally at Valve said they wanted to do it and had a reasonable explanation for why [they did]." This, like all of Valve's other statements regarding Half-Life 3, neither confirms nor denies the possibility that the game will eventually be made.