Valve patches security hole that enabled takeover of Steam accounts

Valve has patched a bug in its Steam system that let an attacker easily take over an arbitrary account using nothing but the account's username.

The hijacking exploit took advantage of a hole in Steam's password recovery feature, which sends a recovery code to the registered e-mail address associated with the account. That e-mailed code needs to be entered on a form through the Steam website, but an attacker could simply skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog, as demonstrated in this video.

In a statement to Kotaku, Valve said it quickly fixed the bug when made aware of it on Saturday, July 25 but that "a subset of Steam accounts" could have been affected since July 21. It's hard to know precisely how often the attack was used in that time, but a number of prominent Counter-Strike: GO streamers and others with well-known Steam usernames seem to have been affected.

Read 2 remaining paragraphs | Comments