Steam Bug Shows You Other Users' Account Details (kotaku.com)

← Back to Stories (view on slashdot.org)

Steam Bug Shows You Other Users' Account Details (kotaku.com)

Posted by Soulskill on Friday December 25, 2015 @09:28AM from the somebody's-having-a-bad-christmas dept.

An anonymous reader writes: The Steam game distribution platform is suffering from a particularly bad bug right now. If you log in and try to look at your account details, you're shown the details of another user's account — seemingly picked at random. This includes email address, last 4 digits of a phone number, whether SteamGuard (their two-factor authentication) is enabled, and the last 2 digits of an associated credit card. If you play a game, Steam will show you as being logged in as somebody else while in that game. Many users are being shown pages in other languages, as they are mistaken for players in different regions. This bug follows an apparent DDoS attack that took the service down for several hours. The bug doesn't seem to allow people to purchase games using a different account. That's good, though that means most, perhaps all players, are unable to buy games on Christmas during Steam's huge Winter Sale.

92 comments

Min score:

Reason:

Sort:

Turned off by SuiteSisterMary · 2015-12-25 09:33 · Score: 1

Oh wow, Valve has simply turned Steam off for the moment.
Merry Christmas, Valve guys.

--
Vintage computer games and RPG books available. Email me if you're interested.
1. Re: Turned off by Anonymous Coward · 2015-12-25 09:53 · Score: 0
  
  They're Republicans so they hate children. That's why they shutoff their games.
2. Re: Turned off by Anonymous Coward · 2015-12-25 10:02 · Score: 0
  
  Those Republicans always let children play video games because they're lazy. They just don't take care of their children.
3. Re: Turned off by Anonymous Coward · 2015-12-25 10:06 · Score: 0
  
  Sounds like they love children. Turning off video games really helps the kids.
4. Re:Turned off by Anonymous Coward · 2015-12-25 22:26 · Score: 0
  
  While none of you are busy, I'd like to remind you all to put everything in the cloud. Make it so that all of your programs and games require an internet connection just to work, it will be awesome!
  Stupid fucks.
So you can meet yourself in-game ? by Fly+Swatter · 2015-12-25 09:34 · Score: 1

In theory. That's just creepy.
1. Re:So you can meet yourself in-game ? by Zero__Kelvin · 2015-12-26 04:09 · Score: 1
  
  If you could meet yourself in-reality, trust me, it would be even more creepy.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Actually by waspleg · 2015-12-25 09:35 · Score: 1

They haven't. Which is the problem. Just look at the Discussions tab under Steam Discussions. It's total chaos.
1. Re:Actually by binarylarry · 2015-12-25 09:42 · Score: 3, Funny
  
  You fool! This is the Combine's first preinvasion tactic!
  Disorient, Divide and Conquer. It's right there in the G-Man's playbook, clear as crystal!
  
  --
  Mod me down, my New Earth Global Warmingist friends!
2. Re:Actually by Anonymous Coward · 2015-12-25 10:31 · Score: 0
  
  HALF LIFE 3 CONFIRMED
3. Re:Actually by Anonymous Coward · 2015-12-25 13:13 · Score: 0
  
  OH MY GOD
Half true by Anonymous Coward · 2015-12-25 09:40 · Score: 0

There's an update installed once you launch steam and I can access my own account and games. But the Steam Store is not accessible still as TFA states.
People are speculating it's these shit stains by waspleg · 2015-12-25 09:40 · Score: 1

promising DDoS
Who knows. Whatever it is it's too late to matter. Most people who were going to buy shit bought it before today. You can still play your games with this being broken. Although it is scary to see account details change (mine haven't but it did switch to Portugeuse).
1. Re:People are speculating it's these shit stains by Mashiki · 2015-12-25 09:50 · Score: 3, Informative
  
  According to Steam.DB it's a page caching issue, and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.
  Why anyone would post something from Kotaku and believe it to be trustworthy though is what I find funny in all of this. I'm surprised that Kotaku didn't try to blame white males and the patriarchy for the problems.
  
  --
  Om, nomnomnom...
2. Re:People are speculating it's these shit stains by waspleg · 2015-12-25 09:55 · Score: 1
  
  Yea, I saw that, but steamdb.info isn't steam (I donated money to them yesterday because they're awesome, though).
  I read something that supposedly they got DDoS'd this morning for 2 hours but who knows if that's true I was busy opening presents and eating ham and whatnot.
  The official post which just came out is pretty vague.
3. Re:People are speculating it's these shit stains by Nrrqshrr · 2015-12-25 10:10 · Score: 1, Offtopic
  
  Ironically, kotaku is getting tame with their SJW-pandering with each passing day.
  Probably because they realized that alienating generally tech-savvy people who know what adblock is, to attract an audience that doesn't even play video games isn't a sound business plan.
4. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 10:16 · Score: 5, Informative
  
  According to Steam.DB it's a page caching issue, and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.
  In other words, Valve screwed up.
  Because short of some massive MITM attack, it means Valve's account servers are being sent through their caching server. Think about that for a moment - Valve's caching your account page - why? This is a page that has your personal information, and it's being cached by Valve's caching servers before they're being encrypted by the SSL edge device (most traffic is unencrypted, even the secure servers, while it travels on the internal company network - an SSL edge device/load balancer encrypts it before it hits the internet. This is why a caching server can actually cache it - as far as it's concerned, it's regular HTTP traffic).
  And even worse, that caching server, owned by Valve, is configured to only look at headers - it's not set up to simply not cache specific servers.
  There is NOTHING you or I could do to prevent this - it's a pretty epic screw up. One hopes that their credit card payment system isn't this lax - imagine purchasing a game and having your credit card payment cached. Looks like it's not just stores and restaurants, but internet e-commerce sites that can screw up as well.
5. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 10:28 · Score: 1
  
  Ironically, kotaku is getting tame with their SJW-pandering with each passing day.
  Probably because they realized that alienating generally tech-savvy people who know what adblock is, to attract an audience that doesn't even play video games isn't a sound business plan.
  Confused as to how SJW's fit into this conversation, or even your post.
6. Re:People are speculating it's these shit stains by izat · 2015-12-25 10:35 · Score: 2
  
  My guess is Steam reconfigured their caching servers in an attempt to mitigate the DDoS attack and accidentally screwed things up (caching signed-in requests).
7. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 10:43 · Score: 0
  
  more assholes pissed at the world or unloved as children fucking up gaming networks for everybody. gee thanks, dickwads.
8. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 11:02 · Score: 0
  
  The same reason someone would still post on Slashdot as if it were trustworthy, they don't know better and people continue to visit here.
  If you want to "solve" the problem, treat the place like digg and avoid it like the plague.
9. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 11:06 · Score: 0
  
  Kotaku has a history of running with articles of that nature.
10. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 11:26 · Score: 0
  
  I'm surprised that Kotaku didn't try to blame white males and the patriarchy for the problems.
  I lol'd. Truth.
11. Re: People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 11:30 · Score: 0
  
  Many people got gift cards Christmas day that they would like to use.
12. Re:People are speculating it's these shit stains by Gumshoe · 2015-12-25 11:38 · Score: 3, Insightful
  
  Without knowing more details, I think your analysis sounds correct.
  What I want to know is, why isn't this information encrypted apart from the SSL connection? There should be a public-private key pair for every customer managed by the Steam infrastructure and which is used to encrypt these sensitive details. In other words, personal information is encrypted long before it gets anywhere near the caches. That way, if there is a caching problem, the problem is minimal.
  I don't like the idea of relying on SSL to protect this information.
  Shrugs. I don't know (none of us do at this point) but I'll be very interested to hear what the cause of all this is.
13. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 12:01 · Score: 1
  
  Ah ok, makes sense that it was a SystemD problem.
14. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 12:06 · Score: 0
  
  I don't think Windows Server has that capability, does it?
15. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 12:08 · Score: 0
  
  Just wait until the SJW fad sputters out and is treated with the same disdain as the Jack Thompson bullshit.
  Kotaku, Github and all the rest will say 'we were anti-SJW from the start guys, COME ON!'
16. Re:People are speculating it's these shit stains by phorm · 2015-12-25 12:11 · Score: 1
  
  Sounds like a likely enough explanation.. Configuring caching correctly for a site with mixed content can often be a bit of a bitch. Steam probably uses a lot of caching in general, and may turn things up during the big sales, so if somebody misconfigured, for example, mod_cache you could easily get bugs like this where users end up seeing others' details. I remember years back Apache on RHEL changed the way certain options for caching behaved, which bit a number of people in unexpected ways.
17. Re:People are speculating it's these shit stains by PopeRatzo · 2015-12-25 12:16 · Score: 1
  
  Ironically, kotaku is getting tame with their SJW-pandering with each passing day.
  I'm curious as to your definition of "ironically".
  
  --
  You are welcome on my lawn.
18. Re: People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 12:56 · Score: 1
  
  Mod_cache? Please. I'd be surprised if they weren't using nginx as an SSL capable caching server doing SSL end to end or a pound/varnish combo (again with the option of SSL both directions)
19. Re:People are speculating it's these shit stains by sumdumass · 2015-12-25 13:07 · Score: 3, Funny
  
  Don't get too upset. He graduated from high school with Alanis Morissette. Evidently, the class to graduate the year before them thought they were too self centered so for the senior prank, they tore every page in the dictionaries out that defined any word starting with the letter i. Some seniors glued copies of other pages defining words like team, you, them and so on in their place. Some seniors drew pictures of spiders and stick figures in dunce hats thinking they would be funny or something.
  Anyways, it left a generation not knowing the definition of Irony (no, it's not something that feels like metal or clothing your mom pressed).
20. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 13:35 · Score: 1
  
  PSA: If you can't talk about cache control headers without devolving into a rant about "SJWs," no one is ever going to take you seriously.
21. Re:People are speculating it's these shit stains by William+Baric · 2015-12-25 13:40 · Score: 1
  
  About Alanis... Cosmic irony. Look it up.
22. Re: People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 13:52 · Score: 0
  
  Hahahaaha. Tanks is my favorite game, and I appreciate you supporting it. But what noobs.
23. Re:People are speculating it's these shit stains by KGIII · 2015-12-25 15:19 · Score: 1
  
  (no, it's not something that feels like metal or clothing your mom pressed).
  Well, that's ironic.
  *whistles innocently*
  
  --
  "So long and thanks for all the fish."
24. Re:People are speculating it's these shit stains by Mashiki · 2015-12-25 15:37 · Score: 1, Informative
  
  Confused as to how SJW's fit into this conversation, or even your post.
  Kotaku has a long history of pandering to the lowest common denominator when they publish an article. If they're not pandering and trying to blame something on xyz group to draw in clicks, they're running wild claiming that xyz group is the cause of the ills in the first place by just shoving it in there.
  
  --
  Om, nomnomnom...
25. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 16:15 · Score: 0
  
  Except that wouldn't work at all because the idea of a reverse proxy is that it serves and caches web pages and not much else and there can be MANY reverse proxies (see: CloudFlare or anyone else really). If you want to encrypt it per-customer you would have to load the customer's data from their session (their encryption key at least, which is still going to be quite a resource hit) negating the whole purpose of the reverse proxy. It is a somewhat big screwup but don't sit here and pretend you know how to do better.
26. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 16:27 · Score: 1
  
  They are not going to be dumb enough to do that. It's fairly obvious that what happened was the result of the page submission (i.e. post-CC data submission) was cached and was showing to the wrong people. It's even probable that they are using Varnish or nginx and just misconfiguring the hash (i.e. not setting it per-unique session by accident).
  You are completely wrong about using HTTP vs HTTPS, reverse proxies support HTTPS just fine and both can configured with the private key (or different private keys that are trusted) and given the NSA revelations I suspect many companies are doing that. It is a somewhat big screwup but given that any truly sensitive information would not be leaked by this it is not as big as you make it out to be and you clearly don't understand what is going on reverse proxies are usually not binary proxies and they most certainly are not in this situation.
  More in depth explanation on how reverse proxies usually work:
  When the cache is dirty, read from the target server using TLS or SSL if it is an HTTPS target.
  Parse the HTTP request headers and initial data, start sending headers back to the client (also, using HTTPS if configured to do so) then continue reading chunks and sending those chunks as they are received.
  Finally, when all of the remaining chunks (if there were any) are sent, close the connection.
27. Re:People are speculating it's these shit stains by spire3661 · 2015-12-25 16:37 · Score: 0
  
  "I strongly prefer the freemium model used in games like world of tanks." HAHAHAHA. This statement invalidates any opinion you might have on modern gaming.
  
  --
  Good-bye
28. Re: People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 17:25 · Score: 0
  
  Best part is you can't sue valve over the compromise because they force mandatory binding arbitration on you. It's always the sign of a terrible company when they know shit is so mismanaged that people are desperate to sue them.
  I'm glad I quit buying from them when they forced mandatory binding arbitration on me. Sucks I lost all my games, since you had to agree to it to download them.
29. Re: People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 20:12 · Score: 0
  
  Dude, someone is talking about pound/varnish servers. I, for one, am confused by this based on name alone. Configuring software is a chore and will remain a monumental chore until OSS programmers take fingers out of asses, drop egos, and pretend that people use the shitsmear software they produce. Until then people will lol at noobs who fail to configure the flurgleflange with the doohickeymebob. Complexity is no solution.
  Programmers these days are fucking pissant ego idiots. Can't write shit that's usable without crying that it needs to be more complicated. We all complain that things aren't used right when they're engineered to be used wrong by default.
  Demand accountability.
30. Re:People are speculating it's these shit stains by Mashiki · 2015-12-25 21:45 · Score: 1
  
  I'm going to toss something else in here, this is the same organization that now no longer receiving any information from Bethesda or Ubisoft because of their actions. They're no longer invited to any demos, no E3 presentations nothing. They've spent the last 5+ years pissing on both of those companies games, on the developers themselves, and on individual people. All the while launching personal attacks, leaking information and yelling all over the place how "sexist/problematic/racist" xyz game(s) are because of various insane reasons. Other smaller developers have followed those two AAA companies leads, and for good reason. There's a reason why a lot of smaller studios said "good, let's hope polygon is next."
  
  --
  Om, nomnomnom...
31. Re:People are speculating it's these shit stains by Gumshoe · 2015-12-25 23:03 · Score: 1
  
  Understood. However, I would say that encrypting this sort of personal information on a per-customer basis is worth the resource hit. We shouldn't want that information cached even by accident.
32. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-25 23:47 · Score: 0
  
  Think about that for a moment
  
  I have. And I giggled like a schoolgirl.
  
  it's a pretty epic screw up.
  No, it really isn't - this is a common, garden variety caching issue. I've seen it more times than I can count on everything from Drupal sites configured by overpaid PHP nerds who don't grok Varnish to homebrewed web apps. Same exact issue, precisely - user a logs in, sees user b's name/etc.
  
  One hopes that their credit card payment system isn't this lax
  
  In Valve's defense, Steam is one of the few things that actively allows you to not store your godforsaken card in their system forever. The annoyance of having to pull out my wallet to buy a game is absolutely negligible compared to the annoyance of having to deal with yet another card being issued to my bank because ShitCo got rekt.
33. Re:People are speculating it's these shit stains by Anonymous Coward · 2015-12-26 01:08 · Score: 0
  
  Ironic how the "it's actually about ethics in games journalism" people really just seem to want journalists to attend industry shindigs and write whatever the damn publishers tell them to.
34. Re: People are speculating it's these shit stains by Anonymous Coward · 2015-12-26 01:25 · Score: 0
  
  Bollocks. You can't sign away rights to statutory protection, no matter what the agreement says. Valve HAVE been sued for breaching consumer protection laws repeatedly.. they are being sued right now in the EU for not allowing people to re-sell games!
35. Re: People are speculating it's these shit stains by Anonymous Coward · 2015-12-26 03:10 · Score: 0
  
  Are you ignorant? The vast majority of Steam users are cashing in Steam gift certificates today, including me. This is the perfect day to execute an attack
36. Re:People are speculating it's these shit stains by Zero__Kelvin · 2015-12-26 04:16 · Score: 1
  
  That's fucking hilarious. You try to come off as so intelligent and informed, it is almost ironic that your Slashdot alias is sumdumass. I wish I could be there to see your face when you figure out that Alanis understands irony far better than you.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
37. Re:People are speculating it's these shit stains by sumdumass · 2015-12-26 05:24 · Score: 1
  
  I wouldn't say far better or anything close to the sorts. You almost got there, you admitted it was hilarious but still couldn't get the joke. Of course the story about high school kids tearing out everything in the dictionary that starts with the letter i must be what you thought was intelligent and informed.
  People like you sadden me. But I'm still in the Christmas spirit so I will just wish you and your family well into the new year.
38. Re:People are speculating it's these shit stains by Zero__Kelvin · 2015-12-26 05:46 · Score: 1
  
  Imagine my surprise that you don't know what the phrase "started out" means.
  
  "I wouldn't say far better or anything close to the sorts. "
  That is because you are an idiot. You clearly claimed that Alanis doesn't know what irony means, proving that you don't (since she does.) Only you would claim that actually knowing something doesn't represent a far better understanding than not knowing. But I will say this: you are honest to a fault, at least as far as your Slashdot alias goes.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
39. Re:People are speculating it's these shit stains by sumdumass · 2015-12-26 06:21 · Score: 1
  
  No I did not clearly claim Alanis doesn't know what Irony means. I clearly claimed that a bunch of high school kids tore pages from a dictionary in an attempt to make a joke. Anything you are referring to other than that is your misguided imagination. Do you understand what that means? It is all in your head.
  Now we can talk about your inability to see signs of mental disorder all day long if you want. I would start with pointing out that you cannot take a joke and for some incessant reason have to defend Alanis as if you personally know her (which I doubt is remotely true). But we can also point to the problem you have with ignoring what was actually said and inserting what you want to be said in order to justify your rant. Calling people names is just a sign of a weak mental process and I wouldn't consider that a mental disorder but in your case, it seems to be symptomatic in with the rest of your ailments.
  Perhaps you should just seek professional help and put the keyboard down for now or you might really get your panties into a knot..
40. Re:People are speculating it's these shit stains by Mashiki · 2015-12-26 17:27 · Score: 1
  
  Ironic how the "it's actually about ethics in games journalism" people really just seem to want journalists to attend industry shindigs and write whatever the damn publishers tell them to.
  Ironic that the people who spout the above, don't seem to be able to figure out that a company has the right to refuse disclosing information to anyone, especially to an outlet that goes out of it's way to damage it's brand.
  
  --
  Om, nomnomnom...
41. Re:People are speculating it's these shit stains by Zero__Kelvin · 2015-12-27 03:57 · Score: 1
  
  From your OP:
  
  "Don't get too upset. He graduated from high school with Alanis Morissette."
  Only a moron would claim "No I did not clearly claim Alanis doesn't know what Irony means." after writing that for all the world to see.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
42. Re:People are speculating it's these shit stains by sumdumass · 2015-12-27 07:00 · Score: 1
  
  Wow.. How daft can you be?
  Ok, lets follow this thread, someone stated how stupid it was to link to kotaku and think it was trustworthy. He then said he was surprised how they didn't try to push the BS SJW crap along with it. The next poster said that kotaku is finding their business model doesn't fit with the SJW crap and has been backing off it. Kodaku is known for pushing the SJW bullshit but seems to be stepping away in favor of profits because the people they attract with the SJW bullshit don't get them paid.
  So how is his use of the word ironic (more page views/people attracted to the site because of a specific topic but less revenue overall because of the same type of topic) any different from alanis momorissette's use? I mean it fits your definition just as well as anything she sings about.
  The only person who is claiming Alanis doesn't know what Irony is in this thread is you and you are trying to attribute that statement to me who never said it at all. I wouldn't be going around calling people a moron until you are certain you yourself isn't a bigger moron.
I know how that played out. by Anonymous Coward · 2015-12-25 09:44 · Score: 0

I've seen similar things before, and it's actually totally understandable. It's a bummer that it went so poorly, but what likely happened was they turned on caching, at some level, and this caused the issue. The account views were included in the caching -- which may've been directly targeted by the DDoS for that very reason. They'll probably introduce better caching, at a per user/session level for account views that will resolve it.. simple oversight made during a time of quick response (a.k.a panic mode).
Here's some official words... by waspleg · 2015-12-25 09:50 · Score: 2

from a community mod
They're going around locking topics like whackamole now.
Here's the text if you're leery:

Account information incorrect
We've gotten reports that people sometimes see other people's account information on the account page. Valve has been made aware of this and are working on a fix.
Some frequently asked questions:
- No, Steam is not hacked
- Creditcard info and phone numbers are, as required by law, censored and not visible to users
1. Re: Here's some official words... by Anonymous Coward · 2015-12-25 09:58 · Score: 2, Funny
  
  And that is why Linux is so much safer: my steam hasn't been working since the nvidia update over a month ago. Everything Linux does is a security feature :3
2. Re:Here's some official words... by Brandano · 2015-12-25 10:00 · Score: 1
  
  Maybe email addresses should be obscured too, just a thought...
3. Re: Here's some official words... by Anonymous Coward · 2015-12-25 10:48 · Score: 0
  
  Try not to think of it as an update but more like a McAfee
4. Re:Here's some official words... by Anonymous Coward · 2015-12-25 13:55 · Score: 0
  
  If they don't store your email in plain text, then how could they possibly send email to you?
5. Re:Here's some official words... by KGIII · 2015-12-25 15:36 · Score: 1
  
  They don't have a username separate from an email address so that they can salt/hash the email address and not store it in plain text? I'm no guru or anything but that's what I'd look into if I were going to set something like this up.
  
  --
  "So long and thanks for all the fish."
6. Re:Here's some official words... by arth1 · 2015-12-25 15:53 · Score: 1
  
  No, hashing would prevent them from getting the plaintext e-mail address which is needed for sending e-mail, like verification e-mail for trades, receipts for buying, et cetera.
  What they should not do is display the e-mail address to the user unless he enters the account password first. E-mail addresses are confidential.
7. Re:Here's some official words... by KGIII · 2015-12-25 16:33 · Score: 1
  
  That's what I mean. Hash and salt the email address, use a username as the token, and unhash email only after securely logged in. In other words, I was saying, using the email as the identifier is a bad idea (I think?) if they can avoid it. That way, if the DB is broken, stolen, or whatnot - they just get the hashed and salted email address and it means nothing to them no matter how many rainbow tables they've got access to.
  (I'm no guru or anything but I've been listening to you guys for years.) If I were going to make something like this, that's one of the first things I'd look into. If I didn't then I'd suffer the scorn/wrath of many Slashdotters who'd call me a n00b, an idiot, and say I was a menace who knew shit about security. I've never *done* that but I'm pretty sure I could figure it out and I kind of know where to look if I need to do it.
  Heh, I've been watching you guys tear the hell out of security for years now. Err... I think my early account was in the 21xxx range but I don't recall the UID and certainly don't have the email address. So, yeah, I've been paying attention to all the things you've all been saying for all these years. To be honest, shutting the hell up and listening to people who know what they're talking about is actually probably the skill that's given me the most benefit in my life.
  
  --
  "So long and thanks for all the fish."
8. Re:Here's some official words... by KGIII · 2015-12-25 16:35 · Score: 1
  
  IOW - Can't the UID be separate and just use that to unhash the email address and send the verification/address change/confirmation emails to it? It doesn't seem unworkable to me. I may be missing something, however. I did mention, I am no guru. Thus the question.
  
  --
  "So long and thanks for all the fish."
9. Re:Here's some official words... by arth1 · 2015-12-25 17:50 · Score: 1
  
  That's what I mean. Hash and salt the email address, use a username as the token, and unhash email only after securely logged in.
  There is no "unhash". Hashing is a one-way mechanism.
  If you hash kgiii@somewhere.com you may get a string like 858248e6afced43bef32d31292e79a4ff1606d0344154f7acf6b1e5e, but there is no way except brute force cracking to get from that string to your e-mail address.
  That's the entire purpose of hashing. When a server stores your password in hashed format, they do not know your password. They can't retrieve it for you. Which means an intruder can't get it either. But they can verify that when you enter your password, it generates the same hash.
  Storing the hash of an e-mail address is pointless. You cannot get the e-mail address out of the hash, so there is no way to send you e-mail.
  Given that the only reason they keep the e-mail address is to send you e-mail, that defeats the entire purpose.
10. Re:Here's some official words... by KGIII · 2015-12-25 18:32 · Score: 1
  
  Ah! I get it now. I think. Wait, no I don't... WTF?
  I took a few minutes to do a search and it led me to StackExchange. Pfft... They let *ME* give answers there, so I'll be damned if I trust 'em. However, if I'm reading correctly, it looks like it may still be possible but a rather futile effort?
  My thinking was:
  UUID = KGIII
  Password = somelongpassword
  Email = kgiii@example.com
  Where UUID is the ID (and not email) and both password and email are hashed & salted.
  I'm missing something and I should make it very clear that I hate DB work and absolutely suck at it. I've described my DB admin in the past, on this site, and he was an odd, very odd, man whom I'm convinced was a wizard.
  Wait, no, I'm retarded. I'll send this anyway and admit my shame. I just figured it out. It's a comparison and not a retrieval, right? "This value gets entered and is hashed and salted and if it matches that value then it is true." Where "this value" is not actually stored in any way? No, that's not even English. IOW, the hashed value that is stored is not meaningfully "decrypted" (no such critter as 'unhashing' really) but *just* the hashed value? Yeah, I think that's it. (I'm now on my second Rum and Coke. I don't really drink any more so...) Yeah, I'll send this anyhow.
  
  --
  "So long and thanks for all the fish."
11. Re: Here's some official words... by Anonymous Coward · 2015-12-25 19:44 · Score: 0
  
  Don't take this wrong, but if you have 0 idea of a topic, don't talk about it. Not knowing what a hash function is is the equivalent of not knowing what addition is in algebra.
  Please don't mislead other people. You are just doing guesswork. L
  Thank you.
12. Re: Here's some official words... by KGIII · 2015-12-25 20:17 · Score: 1
  
  I am trying to learn. Well, trying to make sense of it. Well, I was. I got it now (I think). I read about it and it just didn't want to click. So, I read the wiki page and I think I get it. Sheesh. You guys have taught me a lot. Hell, I like learning the shit you guys seem to all know. There's much that I don't know and I'm actually kind of glad that I don't know it 'cause it'd suck to know everything. It'd be pretty boring, I'd imagine. First you bitch if they don't know, then you bitch if they ask a question. Some of you are *good* at explaining things - helpful even. (Not you, obviously.) Something about a database confuses the hell out of me. Dunno what it is, always has. That and I'd never bothered to ask the mechanism for hashing/salting so now I've looked at it, think I got it, and will hopefully get a reply that says, "No dumb ass ____." Or I'll get one that says, "Close enough." Well, maybe, you spoiled the magic now. Ruiner.
  
  --
  "So long and thanks for all the fish."
13. Re: Here's some official words... by bruce_the_loon · 2015-12-25 21:08 · Score: 1
  
  Two things, ignore the troll and.
  Close enough.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
14. Re: Here's some official words... by KGIII · 2015-12-25 21:15 · Score: 1
  
  Much appreciated. ;-) I learn lots of stuff here. That's why I come here. Well, that and I know other stuff. I figure it works out in the end.
  Thanks again.
  
  --
  "So long and thanks for all the fish."
Shared memory by Anonymous Coward · 2015-12-25 09:58 · Score: 0

The only time I have seen this happen is in an application badly designed to use shared memory across server processes.
Example:
+ Globally scoped variable shared across server processes and not properly released.
+ Multiple user sessions accessing the same process (within milliseconds of each other).
+ Accessed data is shared between user sessions.
Application design 101 fail.
1. Re:Shared memory by ledow · 2015-12-25 10:43 · Score: 1
  
  Those are shit ways to program, granted.
  But it could just be that one of their database instances is out of sync with another, causing one request for a webpage to retrieve several different (and then cached) bits of information for entirely different users. What was user 27 on one database might not be on the other, so you end up logging in as you, but getting Fred's language, and George's wishlist, etc.
  Just because you can think of bad ways to program, doesn't mean they are the only possible cause. Steam is a massive place, that has successfully survived an intrusion because it did properly encrypt and hash all relevant data in the past, and which makes heavy use of distributed servers and content delivery networks.
  Under DDoS conditions - as suspected to have precluded this problem, it's quite possible some database server has got out of sync, been corrupted while being shut-down or improperly synchronised, or even just filled up and no longer able to properly replicate the global database.
That's why! by Anonymous Coward · 2015-12-25 10:31 · Score: 0

I was wondering why Steam suddenly decided to switch the language to Russian (or some other language using cyrillic script). Trying to switch back to English using the top right corner language menu gave me some error message... which was still in Cyrillic so it didn't exactly help. Fun times.
Anyway, as far as hard-hitting bugs, this is pretty tame. At worst, someone could see my list of games or something... oh, the tragedy.
1. Re:That's why! by Opportunist · 2015-12-25 11:26 · Score: 1
  
  Are you kidding? It's the worst possible disaster! They could find out about my Barbie Pony Farm play time!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Don't login until it's fixed.. by Anonymous Coward · 2015-12-25 10:33 · Score: 1

If you login to check if it's broken, you're account details could be cached for someone else to view. If you don't login, they won't be cached.
1. Re:Don't login until it's fixed.. by Anonymous Coward · 2015-12-25 16:24 · Score: 0
  
  If you login to check if it's broken, you're account details could be cached for someone else to view. If you don't login, they won't be cached.
  we're always logged in...
get the scriptkiddies by SuperDre · 2015-12-25 12:11 · Score: 0

I do hope the scriptkiddies who ddossed it (and the other major gaming networks) are being found and send to prison... (if it were up to me, they should even get their heads smashed in)..
1. Re:get the scriptkiddies by Anonymous Coward · 2015-12-26 03:38 · Score: 0
  
  Who let the suits out?
  This is Slashdot. ISTR the hacker culture being heralded here instead tirades of these emotional torrents of diarrhea. Go back to reading your 'business tech blog' site.
When I buy software on DVD by Anonymous Coward · 2015-12-25 14:51 · Score: 0

This doesn't happen.
Add it to the pile by ElectricHellKnight · 2015-12-25 16:34 · Score: 2

Just another reason that Steam is awful. This is what happens when you put all your eggs in one basket. Who thought it was a good idea to have this ugly, buggy, bloated, and now apparently insecure, program installed alongside every single PC release? And the worst part is that there is no alternative. Origin only offers EA games, and GOG doesn't have many (if any) new releases.
I really can't wait for another service to come along and knock Steam off their pedestal. Maybe then it will force Valve to get their shit together.
1. Re:Add it to the pile by hairyfeet · 2015-12-25 20:57 · Score: 2
  
  Oh boo bloody hoo, the servers were down for less than an hour, during the most hectic sale they have each year BTW, and all that had happened was some intern flipped the wrong switch and caused the caching server to show the details of random schmuck's Steam wallet. That's it, you couldn't spend the wallet, trade their games, or do anything else other than see what Joe Nobody had in their Steam wallet and their email address which in 2015 is plastered all over every damned place anyway.
  Meanwhile all the games played just fine, the world kept spinning, and in less than an hour it was all back up and running just as pretty as you please.... you spoiled much? And just FYI you are forgetting UbiSuck and their craptastic client which you are welcome to buy from, i think this year they offered a whole...gasp! 10% off during their Xmas sale on select titles they can't give away like Watch Doges.
  Excuse me if I don't panic or actually give any shits if some dude in Bavaria found out I have a whole 32c in my Steam Wallet from getting rid of those stupid Steam cards all the games seem to give you, I was too busy pounding noobs into submission to really care. You are free to buy from the half a dozen other sites, good luck with keeping all those accounts synced and up to date, not to mention the extra bullshit of having a half a dozen clients all wanting to phone home, me I'll just chalk this up to the "Steam always has a fuckup on Xmas" bug (which happens every year BTW) and go back to enjoying my new games.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
2. Re:Add it to the pile by ElectricHellKnight · 2015-12-25 22:01 · Score: 1
  
  Oh boo bloody hoo, the servers were down for less than an hour, during the most hectic sale they have each year
  It's not just this, trust me. There's a whole host of reasons why Steam is awful. Too many for me to list them all in detail, although most of them can be summed up as "bad customer support". But I know that to try and change your opinion would be futile, enjoy defending Valve. I'm sure they really appreciate you.
3. Re:Add it to the pile by Ash-Fox · 2015-12-26 00:06 · Score: 1
  
  Who thought it was a good idea to have this ugly, buggy, bloated, and now apparently insecure, program installed alongside every single PC release?
  What are you talking about? I have Origin, uplay, Desura, battle.net etc. and that's ignoring games that don't have their own patchers like Wildstar, Star Trek: Online, Final Fantasy 14 etc.
  
  I really can't wait for another service to come along and knock Steam off their pedestal.
  Honestly, I just want the green light crap gone.
  
  --
  Change is certain; progress is not obligatory.
4. Re:Add it to the pile by Anonymous Coward · 2015-12-26 03:26 · Score: 0
  
  Here's how it works. If you're not going to list the "whole host of reasons why Steam is awful" then just STFU.
  Unlike kindergarten, you're not that special anymore. No one will put you up on a pedestal because you expressed an opinion. Those days are over.
  Btw, this is why /. is going downhill, whiny teens+hipsters who wouldn't know a resistor from a capacitor.
  I yearn for the old days on /. where actual technical folks discussed stuff based on facts and experience and the reader could actually learn something.
  Sigh.
5. Re:Add it to the pile by Anonymous Coward · 2015-12-26 04:38 · Score: 0
  
  Yeah, you should be used to this sort of thing by now. It's not like the rest of us didn't warn you this sort of thing would happen every now and then as a result of being tied to a third-party. Go spend some time with your friends and family until they fix it again.
Valve strikes again! by Anonymous Coward · 2015-12-25 19:18 · Score: 0

This is from last summer: Steam Bug Allowed Password Resets Without Confirmation.
Bad announcements, crusty security. Time for a nerdcott?
And still... by robert.geake · 2015-12-26 06:27 · Score: 1

... They ask every tine I start steam... Is this your email address, please confirm, so I do then then next time I start it... Is this your mail address! For security :)
Why does Valve have CC info by MoarSauce123 · 2015-12-26 09:48 · Score: 1

Why does Valve (as well as other vendors) hold on to CC info? After completing a transaction the vendor ought to throw that info away. Yes, it is annoying to type the numbers in again each time, but that is much better compared to having CC info stolen. Where are the legislators when we need them? Storing CC info beyond transaction completion should not be permitted for a vendor. Likewise, using the SSN for anything else other than dealing with federal and state departments ought to be disallowed as well. Why do insurance companies and banks need to know my SSN? Do they plan to pay into my retirement account? If they need an ID then (ab)use the driver's license, which also should be only about indicating the ability to operate a vehicle. If there is a need to have an ID then let's have a resident registry and give out ID cards. Why do other countries get this straight and the US doesn't?