Steam Bug Allowed Password Resets Without Confirmation

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.

That's funny

That's pretty funny considering the NIGHTMARE I went through getting my steam account reset as the email account I used to register (DOH!) was a previous work email that is no longer active, so sending me an email asking if I want to change my email is pointless. And now I find out that if I had have waited, it wasn't even verifying the code?

FFS

If something like this slips through testing

[gweihir]

Then testing either sucks completely or ignores security functionality. This really is an absolute basic thing to test, just as testing that giving a wrong password does not give you access. The state of practical software engineering seems to still be abysmal, even after this problem has been known for a few decades. It is high time to legally bar amateurs from doing software that has any security functionality that protects customer assets and data.

Re:If something like this slips through testing

[Bengie]

Obviously they don't unit test their failure cases, only their success cases. I've programmed many security APIs for stuff around validation and authentication, and there are many many more failure cases, but you need to test them all. My general rule of thumb is to unit test all edge cases I can think of.

The only thing more important than something working how I want it is for it to fail how I want it.

Re:HL3HL3HL3

[jones_supa]

The Half-Life wiki has a good article called Future of the Half-Life series where you can follow the latest developments.

On March 19, Gabe Newell, when asked about Half-Life 3, replied: "The only reason we'd go back and do like a super classic kind of product is if a whole bunch of people just internally at Valve said they wanted to do it and had a reasonable explanation for why [they did]." This, like all of Valve's other statements regarding Half-Life 3, neither confirms nor denies the possibility that the game will eventually be made.

Re:Wait, what?

[ledow]

I think it's more of a side-issue.

If there was a code in the box, it checked it. And refused incorrect codes.

But nobody tested it when there wasn't a code in the box.

Still pathetic, but a little less so.

Re:They tell you to ignore it too...

[Bengie]

I had a similar thing a month ago. I got an email that stated I got a password reset request. Just to test things, I logged out of Steam and logged back in. It said someone else from another IP "logged in" to my account, that was after I entered my original password. That left me confused. How could someone log in if my password was the same. I saw a reset request, but I never got an email that my password got changed.

I decided to change my password, and just to test things out I issues a password reset instead of just changing my password the normal way. I got the email saying a password reset was requested, then I changed my password and I got another email saying my password was changed.

since nothing was amiss, I assume that someone did not log into my account but only issued a password reset. This scares me. To me this indicates that the web page thought the Chinese IP address actually logged in. If I was to write a program to notify a user that an unknown IP logged into their account, I would tie that in with the authentication logic that on a successful login, an email get sent. Does this mean the Steam code that handles password resets technically calls a code path that authenticates as that user? Shitty programming is all I can say.

Microsoft had something similar

[RogueyWon]

Microsoft's Xbox Live system had something similar a few years ago. In that case, the "bug" was actually a flaw in their online and phone support protocols and is pretty well documented here.

This was used to compromise a large number of accounts in 2011 and 2012, with the compromised accounts generally being used to make tradeable FIFA DLC purchases, allowing Xbox Live purchases to be laundered back into real cash.

I got stung by it myself, which utterly shocked me as my XBL password was a strong password that had only ever been entered into my 360 console - so even if my PC were compromised (and I was pretty sure it wasn't), the password certainly hadn't been extracted via a keylogger. MS were very prompt in responding and gave the impression that they were dealing with a lot of these cases. They refunded the £50 that the scumbag had spent and gave me 3 months free XBL Gold subscription as well, which seemed odd given I was still convinced the slip-up must have been on my end.

Wasn't until I saw that Kotaku article a few months later that I realised what had happened. The irony is that this was going on at the same time as the Sony PSN breach and, unlike the PSN breach, it resulted in accounts actually being compromised and fraudulent purchases being made. But as it was a steady drip-drip-drip of compromised accounts rather than an eye-catching big-bang "hack", the mainstream media never picked up on it.