HTML holes exposed sensitive data for “private” Steam user accounts

Valve has remedied a major potential privacy issue with the Steam Community website after it was brought to the company's attention by Ars. The flaw allowed anyone to view game purchase history, achievement history, recent play time, and more—even for Steam users that had set their profiles to private.

I recently discovered the privacy hole when fiddling with Steam's profile settings and examining the source code behind the site. Since the problem exposed potentially sensitive data about Steam users, the examples cited in this article will primarily be from my personal profile. That said, we independently confirmed that the privacy hole applied to any profile that was set to "Private" or "Friends only." Many such profiles could be easily discovered using Google without prior knowledge of the user's Steam ID number or name.

Out of respect for the privacy of Steam's more than 50 million users, we did not immediately publish our discovery of this privacy hole. Instead, we documented the problem and notified Valve of the issue late on Monday evening. Within three hours of sending our message, our spot checks showed that the problem appeared to be remedied.

Read 10 remaining paragraphs | Comments