Valve resolves recently exploited Steam password reset vulnerability

By Scorpus
Jul 27, 2015
Post New Reply
  1. Valve has quickly addressed a major security vulnerability with Steam's password reset utility after it was discovered that the Steam accounts for a number of prominent game streamers were compromised.

    The vulnerability allowed an attacker to reset the password of any Steam account by simply not entering a recovery code during the password reset process. This "bug", as Valve called it, made gaining access to an account very easy by failing to check a recovery code, usually sent to the account holder's email address, had been correctly entered.

    The video above demonstrates just how easily the vulnerability could be exploited.

    Valve discovered the issue on July 25 and immediately fixed it, noting that some accounts may have been impacted between July 21 and July 25. The company is resetting the passwords of accounts with "suspicious password changes" made during that period to prevent malicious users from gaining further access.

    Anyone who has enabled Steam Guard, Valve's two-factor authentication system, on their account would not have been affected by the vulnerability with Steam's password reset utility. Although an attacker could still have reset a user's password, they wouldn't have been able to login to the account itself without also having access to the user's email account.

    While Valve did manage to address the issue shortly after it was discovered, such a glaring vulnerability should never have existed in the first place, and it's just lucky that not many accounts were compromised. It should also serve as a reminder to Steam users to enable Steam Guard to prevent unwanted account access even if their login credentials are stolen or modified.

    Permalink to story.

  2. RustyTech

    RustyTech TS Guru Posts: 818   +384

    Anyone who has used Steam Guard, has most likely disabled it. It's complete BS and extremely annoying.
  3. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,420   +469

    Really? I have used it and still do, whenever I log into my computer I set the "remember computer" and it will only ask when it's from somewhere else, it's not bs and it's not annoying either.
  4. RustyTech

    RustyTech TS Guru Posts: 818   +384

    For some reason it ALWAYS asked me to for the code; every time I logged into Steam.
    ...and yes, I would mark it "remember computer"
  5. LNCPapa

    LNCPapa TS Special Forces Posts: 4,202   +422

    I am in the same boat with Kibaruk. I love Steam Guard and it gives me a bit of peace-of-mind even though I know it's not bulletproof. It also does not prompt me after I've set it to remember this computer.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...