Steam Bug Allowed Password Resets Without Confirmation

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.

If something like this slips through testing

[gweihir]

Then testing either sucks completely or ignores security functionality. This really is an absolute basic thing to test, just as testing that giving a wrong password does not give you access. The state of practical software engineering seems to still be abysmal, even after this problem has been known for a few decades. It is high time to legally bar amateurs from doing software that has any security functionality that protects customer assets and data.