The last couple of years saw major data breaches in even the top tech companies, which included the likes of Google, Apple and Yahoo. However, it seems that a few companies are yet to learn how to take identity management seriously.
If you are into gaming, then you must have heard about Steam which is a digital distribution platform created by the Valve Corporation. It is known for providing services like multiplayer gaming, video streaming, digital rights management (DRM), and social networking. Users can install and automatically update games while being a part of friends lists and groups.
So when Steam gamers found that their accounts had been hacked, there arose a huge issue. When accosted, Valve put the blame of the hole on to a ‘bug’ but there seemed to be something more serious at work. The vulnerable loop that was making it easy for hackers to get into Steam accounts was acting more like an authentication pit that could be exploited when hijacking.
Needless to say, gamers and Twitch streamers were not happy with and wanted the problem fixed. Till this critical hole was left unattended, nobody’s data was safe.
However, Valve has now managed to resolve the issue and patch the pit.
So what was the issue?
The password reset issue that allowed hackers to get into Steam accounts was not very difficult.
Once the Steam login page was open, the attacker only had to click on the “Forgot Password” option on the page, enter the account name of the victim, and click the Search button. Steam would then ask the hacker how they would want to reset the password – and they would ask a code to be sent to the mail.
Here is where things went wrong. Even if the hacker didn’t fill in the recovery code that was sent to the victim’s account, they could just click continue, leaving the account recovery code box blank.
The next page for the hackers would have all the details one needed to get complete control over the account again.
It’s surprising that Steam would miss out on such a simple error and points out to some grave quality control issues in the backend team. Even if the developer did miss out on making the filling out of the code a mandatory requirement, there should have been a recheck before the process went live.
Till now, there has not been a satisfactory official response from Valve regarding the password reset vulnerability. The millions of gamers who were affected by the issue are incensed, especially because there are rumours floating that even the Steam Guard could not save the accounts from being hacked.
Valve, however, has claimed that the Steam Guard did manage to protect some of the accounts. They have also mentioned that they will be working to reset the passwords for accounts which had suspicious password changes while the hole was still there. Users are supposed to receive a mail with the full details.
Steam can definitely expect its brand reputation to take a hit following this incident. A favorite among gamers, Steam needs to be the first to understand that digital safety has to be taken more seriously.