Steam Bug Allowed Password Resets Without Confirmation

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.

Re:If something like this slips through testing

[Bengie]

Obviously they don't unit test their failure cases, only their success cases. I've programmed many security APIs for stuff around validation and authentication, and there are many many more failure cases, but you need to test them all. My general rule of thumb is to unit test all edge cases I can think of.

The only thing more important than something working how I want it is for it to fail how I want it.