A huge gaping hole that allowed attackers to hijack Steam accounts has been discovered, exploited last week, and finally closed by Valve Corp. this weekend.
The attackers didn’t have to have any technical skills whatsoever – they just had to know the target’s account username and enter it in the password reset form, and after choosing the “Email an account recovery code to firstname.lastname@example.org” option, Steam would send a recovery code to the users’ email.
Unfortunately for the targeted users, attackers discovered that no recovery code has to actually be entered in order to allow them to proceed and finish the password reset procedure by choosing a new password.
The attack has been demonstrated in this video:
By the time the bug was fixed, many accounts had been hijacked, including those of several prominent gamers that stream their game-plays on Twitch.tv.
Fortunately, Valve has put in place a five-day ban on trading on the Steam Market when a user changes his or her password. This ban was implemented so that legitimate users don’t lose their pricy items if their accounts get hijacked by malicious individuals.
Valve has been sending out emails to affected users, saying that they learned of the bug on July 25 and that they attacks started on July 21.
“To protect users, we are resetting passwords on accounts that changed passwords during that period using the account recovery wizard. You will receive an email with your new password. Once that email is received, it is recommended that you login to your account via the Steam client and set a new password,” the company shared and advised.
They also reassured users that the attackers didn’t have access to their original passwords, so they don’t have to worry about changing it if they used it for other online accounts (even though it’s a good security practice to use unique passwords for every account).
Finally, they said that “if Steam Guard [Mobile Authenticator] was enabled, the account was protected from unauthorized logins even if the password was modified.”