Join us at TNW Conference 2022 for insights into the future of tech →

The heart of tech

This article was published on July 27, 2015

    Massive Steam security flaw left accounts wide open

    Massive Steam security flaw left accounts wide open
    Owen Williams
    Story by

    Owen Williams

    Former TNW employee

    Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their word Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their words friendlier. In his spare time he codes, writes newsletters and cycles around the city.

    Over the weekend a major flaw in Steam’s account login process was discovered that allowed users to reset any account knowing only the target’s email address.

    Exploiting the security hole was as easy as requesting a password reset code, then visiting the special reset page and pushing OK.

    That reset page usually asks for a code that’s sent to your email address to verify your identity, but it would also accept an empty code as valid.

    This meant that anyone could break into a Steam account and change the password without needing access to the recovery email address. The bug is now fixed, but that’s one hell of a hole for such a valuable software platform.

    Steam told Kotaku that the bug affected only a small amount of accounts between July 21 – 25. Still, that’s a long time to leave users wide open to such a major attack vector.

    The company is resetting passwords on any affected accounts.

    The best way to protect yourself against this kind of attack would be enabling Steam’s two-factor authentication, which would block an attacker from logging in even with your password.