Steam Bug Shows You Other Users' Account Details

An anonymous reader writes: The Steam game distribution platform is suffering from a particularly bad bug right now. If you log in and try to look at your account details, you're shown the details of another user's account — seemingly picked at random. This includes email address, last 4 digits of a phone number, whether SteamGuard (their two-factor authentication) is enabled, and the last 2 digits of an associated credit card. If you play a game, Steam will show you as being logged in as somebody else while in that game. Many users are being shown pages in other languages, as they are mistaken for players in different regions. This bug follows an apparent DDoS attack that took the service down for several hours. The bug doesn't seem to allow people to purchase games using a different account. That's good, though that means most, perhaps all players, are unable to buy games on Christmas during Steam's huge Winter Sale.

Re:Actually

[binarylarry]

You fool! This is the Combine's first preinvasion tactic!

Disorient, Divide and Conquer. It's right there in the G-Man's playbook, clear as crystal!

Here's some official words...

[waspleg]

from a community mod

They're going around locking topics like whackamole now.

Here's the text if you're leery:

Account information incorrect
We've gotten reports that people sometimes see other people's account information on the account page. Valve has been made aware of this and are working on a fix.

Some frequently asked questions:
- No, Steam is not hacked

- Creditcard info and phone numbers are, as required by law, censored and not visible to users

Re: Here's some official words...

And that is why Linux is so much safer: my steam hasn't been working since the nvidia update over a month ago. Everything Linux does is a security feature :3

Re:People are speculating it's these shit stains

[Mashiki]

According to Steam.DB it's a page caching issue, and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.

Why anyone would post something from Kotaku and believe it to be trustworthy though is what I find funny in all of this. I'm surprised that Kotaku didn't try to blame white males and the patriarchy for the problems.

Re:People are speculating it's these shit stains

According to Steam.DB it's a page caching issue, and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.

In other words, Valve screwed up.

Because short of some massive MITM attack, it means Valve's account servers are being sent through their caching server. Think about that for a moment - Valve's caching your account page - why? This is a page that has your personal information, and it's being cached by Valve's caching servers before they're being encrypted by the SSL edge device (most traffic is unencrypted, even the secure servers, while it travels on the internal company network - an SSL edge device/load balancer encrypts it before it hits the internet. This is why a caching server can actually cache it - as far as it's concerned, it's regular HTTP traffic).

And even worse, that caching server, owned by Valve, is configured to only look at headers - it's not set up to simply not cache specific servers.

There is NOTHING you or I could do to prevent this - it's a pretty epic screw up. One hopes that their credit card payment system isn't this lax - imagine purchasing a game and having your credit card payment cached. Looks like it's not just stores and restaurants, but internet e-commerce sites that can screw up as well.

Re:People are speculating it's these shit stains

[izat]

My guess is Steam reconfigured their caching servers in an attempt to mitigate the DDoS attack and accidentally screwed things up (caching signed-in requests).

Re:People are speculating it's these shit stains

[Gumshoe]

Without knowing more details, I think your analysis sounds correct.

What I want to know is, why isn't this information encrypted apart from the SSL connection? There should be a public-private key pair for every customer managed by the Steam infrastructure and which is used to encrypt these sensitive details. In other words, personal information is encrypted long before it gets anywhere near the caches. That way, if there is a caching problem, the problem is minimal.

I don't like the idea of relying on SSL to protect this information.

Shrugs. I don't know (none of us do at this point) but I'll be very interested to hear what the cause of all this is.

Re:People are speculating it's these shit stains

[sumdumass]

Don't get too upset. He graduated from high school with Alanis Morissette. Evidently, the class to graduate the year before them thought they were too self centered so for the senior prank, they tore every page in the dictionaries out that defined any word starting with the letter i. Some seniors glued copies of other pages defining words like team, you, them and so on in their place. Some seniors drew pictures of spiders and stick figures in dunce hats thinking they would be funny or something.

Anyways, it left a generation not knowing the definition of Irony (no, it's not something that feels like metal or clothing your mom pressed).

Add it to the pile

[ElectricHellKnight]

Just another reason that Steam is awful. This is what happens when you put all your eggs in one basket. Who thought it was a good idea to have this ugly, buggy, bloated, and now apparently insecure, program installed alongside every single PC release? And the worst part is that there is no alternative. Origin only offers EA games, and GOG doesn't have many (if any) new releases.

I really can't wait for another service to come along and knock Steam off their pedestal. Maybe then it will force Valve to get their shit together.

Re:Add it to the pile

[hairyfeet]

Oh boo bloody hoo, the servers were down for less than an hour, during the most hectic sale they have each year BTW, and all that had happened was some intern flipped the wrong switch and caused the caching server to show the details of random schmuck's Steam wallet. That's it, you couldn't spend the wallet, trade their games, or do anything else other than see what Joe Nobody had in their Steam wallet and their email address which in 2015 is plastered all over every damned place anyway.

Meanwhile all the games played just fine, the world kept spinning, and in less than an hour it was all back up and running just as pretty as you please.... you spoiled much? And just FYI you are forgetting UbiSuck and their craptastic client which you are welcome to buy from, i think this year they offered a whole...gasp! 10% off during their Xmas sale on select titles they can't give away like Watch Doges.

Excuse me if I don't panic or actually give any shits if some dude in Bavaria found out I have a whole 32c in my Steam Wallet from getting rid of those stupid Steam cards all the games seem to give you, I was too busy pounding noobs into submission to really care. You are free to buy from the half a dozen other sites, good luck with keeping all those accounts synced and up to date, not to mention the extra bullshit of having a half a dozen clients all wanting to phone home, me I'll just chalk this up to the "Steam always has a fuckup on Xmas" bug (which happens every year BTW) and go back to enjoying my new games.