The lack of proper form validation rules on the password recovery section exposes Steam accounts to annoying tricksters

Jul 27, 2015 08:18 GMT  ·  By

Valve has fixed an issue that allowed Steam accounts to be hijacked by anyone, even without technical or programming skills. This was made possible by a mistake in the password reset form, which didn't include a validation procedure before redirecting users to a new page.

Anyone who wanted to gain access to another person's Steam account only had to follow the classic password recovery process.

They started by entering the username of the account they wanted to access and choosing the "Email an account recovery code to [email protected]."

In the next page, where the recovery code was supposed to be entered, users could simply leave the field blank and press the "Submit" button.

Because the form field did not include a data validation procedure that made sure the user entered text in the field, it would (mind-bogglingly) redirect the user to the next page, which allowed them to choose a new password (for an account they did not own).

The issue was first reported to Valve by prominent gamers a few days ago, and Valve fixed it on Saturday.

The passwords were never leaked at any point in the process

In an email to its users, Valve says the following, "On July 25th we learned of a Steam bug that could have impacted the password reset process on your Steam account during the period July 21-July 25. The bug has now been fixed."

The email continues, "To protect users, we are resetting passwords on accounts that changed passwords during that period using the account recovery wizard. You will receive an email with your new password. Once that email is received, it is recommended that you login to your account via the Steam client and set a new password."

According to the same email, the passwords were never leaked or revealed in clear text at any time. "Please note that while your password was potentially modified during this period the password itself was not revealed. Also, if you had Steam Guard enabled, your account was protected from unauthorized logins even if your password was modified," it reads.