Valve has announced that a recent security flaw discovered within their password reset process has been fixed. This announcement has come after numerous users, including a professional DOTA 2 player, reported last week that their account had been temporarily hacked. Other users have also reported discovering items missing from their account once they have regained control of their account. Valve has since begun notifying the suspected affected users, resetting passwords on any account that has been deemed to have had any suspicious password changes during the affected period.
How was this possible? What sort of hacking skills would you require to pull of such a feat, you may ask? Actually, this time it wasnt that difficult, all that was required to hijack someone account was to know their username. Armed with this the unscrupulous type just had to begin the hijacking process by clicking on the “forgot my login details” in the steam client. After this, the steam name of the account to be hijacked was entered, this prompts the client to send out a randomly generated code to the registered email address. At this point the code would normally require to be entered, however if the hijacker typed no code, but clicked continue, the client let them change the password unhindered, giving them full access to the account in question.
Valve have apologised for any issues caused by the loophole in the password reset system, which they are referring to as a bug. What I don’t understand is how this simple error managed to slip past a company who has a good reputation for security. I am not an expert in digital security or programming software, but I would like to think that a company such as Valve would test their software to prevent issues like this from happening.
In an apology they have released to the affected users, they have promoted their Steam Guard service, stating that if it was in use then the account was protected from unauthorized logins even if the password was modified. Steam Guard is an additional level of security that can be applied to Steam accounts. Steam Guard, then acts as a second level of security making it harder for unauthorised user to access your Steam account. When active, anyone attempting to login to your account from an unrecognised device must provide additional authorization code, sent via email to the contact email address.
Since Valve have now closed the loophole, the normal password reset operation is back in effect, with the security code being required to amend the password. Perhaps it is now time, if you haven’t already done so, to activate Steam Guards as an additional level of security just in case lightening happens to strike twice.