Steam Bug Shows You Other Users' Account Details

An anonymous reader writes: The Steam game distribution platform is suffering from a particularly bad bug right now. If you log in and try to look at your account details, you're shown the details of another user's account — seemingly picked at random. This includes email address, last 4 digits of a phone number, whether SteamGuard (their two-factor authentication) is enabled, and the last 2 digits of an associated credit card. If you play a game, Steam will show you as being logged in as somebody else while in that game. Many users are being shown pages in other languages, as they are mistaken for players in different regions. This bug follows an apparent DDoS attack that took the service down for several hours. The bug doesn't seem to allow people to purchase games using a different account. That's good, though that means most, perhaps all players, are unable to buy games on Christmas during Steam's huge Winter Sale.

Re:People are speculating it's these shit stains

[Mashiki]

According to Steam.DB it's a page caching issue, and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.

Why anyone would post something from Kotaku and believe it to be trustworthy though is what I find funny in all of this. I'm surprised that Kotaku didn't try to blame white males and the patriarchy for the problems.

Re:People are speculating it's these shit stains

According to Steam.DB it's a page caching issue, and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.

In other words, Valve screwed up.

Because short of some massive MITM attack, it means Valve's account servers are being sent through their caching server. Think about that for a moment - Valve's caching your account page - why? This is a page that has your personal information, and it's being cached by Valve's caching servers before they're being encrypted by the SSL edge device (most traffic is unencrypted, even the secure servers, while it travels on the internal company network - an SSL edge device/load balancer encrypts it before it hits the internet. This is why a caching server can actually cache it - as far as it's concerned, it's regular HTTP traffic).

And even worse, that caching server, owned by Valve, is configured to only look at headers - it's not set up to simply not cache specific servers.

There is NOTHING you or I could do to prevent this - it's a pretty epic screw up. One hopes that their credit card payment system isn't this lax - imagine purchasing a game and having your credit card payment cached. Looks like it's not just stores and restaurants, but internet e-commerce sites that can screw up as well.

Re:People are speculating it's these shit stains

[Mashiki]

Confused as to how SJW's fit into this conversation, or even your post.

Kotaku has a long history of pandering to the lowest common denominator when they publish an article. If they're not pandering and trying to blame something on xyz group to draw in clicks, they're running wild claiming that xyz group is the cause of the ills in the first place by just shoving it in there.