Valve Patches Major Steam Exploit You Didn't Know About

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
You do have two-step verification and other security features beyond a basic password for your Steam account, right? If you don’t, here is another case of why you should. Apparently, Valve kept this exploit a secret—I imagine that the whining already happened, but at least the company patched it within a few hours. This one involved an XSS exploit, so if you have been browsing Steam in any way, you may want to keep vigilant.

According to the mod in question, this was triggered just by viewing a dodgy profile page, or your own activity feed, but both these areas have now been patched up and fixed. However, if you’ve been clicking around Steam profiles earlier today, or the activity feed, that could obviously be a worry. There’s no sure way to tell if you have been affected at this point, unfortunately, save for – obviously enough – odd things happening to your Steam account. Fingers crossed that isn’t the case. As mentioned, this isn’t the first time we’ve witnessed an exploit hitting the Steam site, or indeed serious privacy woes like the time just over a year ago when people’s account details (including credit card data) became visible to some other users (rather than their own information).
 
Once the Steam client is running, 2FA isn't required. It only needs it for a new system and/or network connection.
 
If they patched it in a few hours I don't really mind them keeping it a secret. I mean even bug bounty hunters don't make stuff public until companies ignore their warnings. I would only have a problem if they ignored it and kept it a secret.
 
Wow this is hilarious!! Why... because my steam profile was just hacked recently.

So with the steam mobile authenticator activated on my account, no matter what PC I log in to either on the Steam Client or even the steam web page I have to get my phone out to get the access code that steam gives for 2 factor authentication. So let's say I go out of town to visit a friend, and I see a game is on sale on steam and I don't have my PC at home on to remote in to I can go to the steam page to sign in and it will ask for authentication.


So... somehow someone got a hold of information off of my steam account, name, address, e-mail, CD Keys etc and e-mails steam support to ask them to please remove the steam guard from my account as the phone was lost. THE IDIOT AT STEAM SUPPORT REMOVED IT!!!!!! no questions asked, no double security checks, no e-mails to the address on record, no texts to the phone on record...... nothing!!!! The level of incompetence here is astounding. Even if I did lose my damned phone I could still go to my carrier and get another with the same phone number the same day.

steamhackedit_zpsvd3amykv.jpg





Luckily I was able to catch all of this within minutes of it all happening and re-secure my account, change my passwords, re-enable steam guard and etc. The person who was stealing my account was in the process of changing the region, the currency and luckily didn't think to change the password right off the bat. I work as a systems administrator on hundreds of systems, I've rarely ever had a virus or malware on any of my systems at home...even with this confidence I still do check form time to time to make sure nothing wonky is going on. So how did this info get leaked? (queue x-files theme song)

Needless to say I messaged steam support about this and plain and simple they don't care. No were sorry this happened, it was just a message pointing the blame toward me (you have a virus or malware is what they said lol)
 
Burticus said:
Why do I want 2 step just to launch a game?
Click to expand...
A better question is "why do I want Steam just to launch a game?"

In all seriousness though, this particularly vulnerability involved an XSS exploit on the Steam site that could be triggered by viewing certain web pages. According to the links below, Valve has quite a history of failing to properly sanitize user-submitted content, thus allowing arbitrary JavaScript injection on various parts of their site.

https://www.reddit.com/r/Steam/comments/5skfg4
https://www.reddit.com/r/Steam/comments/5smjle
 
nintari said:
Wow this is hilarious!! Why... because my steam profile was just hacked recently.
Click to expand...
That's awful. Have you persisted to press them for more information about the incident? I would demand some serious answers if I were you.
 
This is one area I particularly get frustrated with when talking to others about Valve & Steam. Way too many people have this notion that Valve can do no wrong and Steam is perfect, and that if you lose your account, it's entirely your fault. I understand that the majority of times this may be true, but no company is perfect when it comes to security, and until it happens to them, they just put on blindfolds and refuse to even consider that there could even be the possibility of a flaw.
 
I also have 2-factor enabled on my Steam account (also on google, amazon and microsoft). It's not too much of a hassle as it only asks you once per device.

As for getting an account rep to remove your 2-factor, humans will always be a weakness. They should have sent a reset email though instead of just deactivating everything. Also, it actually is possible they got that information from your computer, otherwise how could they have gotten all that? It'd be bad if Steam itself is compromised.
 
i guess i have that enabled.

it sends me an email with some random characters when i log in to steam on a different computer.
 
nintari said:
Wow this is hilarious!! Why... because my steam profile was just hacked recently.

So with the steam mobile authenticator activated on my account, no matter what PC I log in to either on the Steam Client or even the steam web page I have to get my phone out to get the access code that steam gives for 2 factor authentication. So let's say I go out of town to visit a friend, and I see a game is on sale on steam and I don't have my PC at home on to remote in to I can go to the steam page to sign in and it will ask for authentication.


So... somehow someone got a hold of information off of my steam account, name, address, e-mail, CD Keys etc and e-mails steam support to ask them to please remove the steam guard from my account as the phone was lost. THE IDIOT AT STEAM SUPPORT REMOVED IT!!!!!! no questions asked, no double security checks, no e-mails to the address on record, no texts to the phone on record...... nothing!!!! The level of incompetence here is astounding. Even if I did lose my damned phone I could still go to my carrier and get another with the same phone number the same day.



Luckily I was able to catch all of this within minutes of it all happening and re-secure my account, change my passwords, re-enable steam guard and etc. The person who was stealing my account was in the process of changing the region, the currency and luckily didn't think to change the password right off the bat. I work as a systems administrator on hundreds of systems, I've rarely ever had a virus or malware on any of my systems at home...even with this confidence I still do check form time to time to make sure nothing wonky is going on. So how did this info get leaked? (queue x-files theme song)

Needless to say I messaged steam support about this and plain and simple they don't care. No were sorry this happened, it was just a message pointing the blame toward me (you have a virus or malware is what they said lol)
Click to expand...

Unfortunately social engineering will always surpass digital security.
 
DocSavage said:
I also have 2-factor enabled on my Steam account (also on google, amazon and microsoft). It's not too much of a hassle as it only asks you once per device.

As for getting an account rep to remove your 2-factor, humans will always be a weakness. They should have sent a reset email though instead of just deactivating everything. Also, it actually is possible they got that information from your computer, otherwise how could they have gotten all that? It'd be bad if Steam itself is compromised.
Click to expand...

Even reset emails can be exploited via human weakness. Convince them that they lost their email. For example, I've been a member of [H] since 1999 (at least I think that was the year. I believe it was a review of the TNT2 Ultra that brought me here), but I moved and lost access to my email and forgot my username and password. (No, I was not banned, but this was a new account and handle I was using in 2004. I change my handle every few years). I'm sure someone with charisma could persuade people with a similar arguement.
 
You must log in or register to reply here.
Back
Top