Slashdot Mirror

← Back to Stories (view on slashdot.org)

Steam Bug Allowed Password Resets Without Confirmation

Posted by Soulskill on from the users-rather-steamed dept.

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.

3 of 62 comments (clear)

  1. That's funny by Anonymous Coward · · Score: 5, Funny

    That's pretty funny considering the NIGHTMARE I went through getting my steam account reset as the email account I used to register (DOH!) was a previous work email that is no longer active, so sending me an email asking if I want to change my email is pointless. And now I find out that if I had have waited, it wasn't even verifying the code?

    FFS

  2. If something like this slips through testing by gweihir · · Score: 5, Insightful

    Then testing either sucks completely or ignores security functionality. This really is an absolute basic thing to test, just as testing that giving a wrong password does not give you access. The state of practical software engineering seems to still be abysmal, even after this problem has been known for a few decades. It is high time to legally bar amateurs from doing software that has any security functionality that protects customer assets and data.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:If something like this slips through testing by Bengie · · Score: 4, Interesting

      Obviously they don't unit test their failure cases, only their success cases. I've programmed many security APIs for stuff around validation and authentication, and there are many many more failure cases, but you need to test them all. My general rule of thumb is to unit test all edge cases I can think of.

      The only thing more important than something working how I want it is for it to fail how I want it.