Skip to content ↓ | Skip to navigation ↓

Valve has plugged a bug that potentially allowed attackers to reset Steam users’ passwords without proper validation.

According to Master Herald, all an attacker needed to exploit this issue was the account name of a user of Steam, a gaming distribution service.

Using an account name, an attacker could initiate Steam’s “forgot password” protocol, which would send a password reset email to that particular user containing a code that they could use to create a new password. As UK gamer Elm Hoe discovered, however, Steam’s servers were not validating this code. An attacker could therefore leave the “enter the code” text field empty and simply move on to the “create new password” page.

Hoe has posted a video of the exploit, which can be viewed below:

Valve, which owns Steam, learned of the bug over the weekend and has since patched the issue. It has also issued the following statement:

To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

We apologize for any inconvenience.

Steam users are urged to enable Steam Guard, a form of two-factor authentication, if they have not all ready done so to prevent similar issues from threatening their accounts should similar bugs emerge in the future.

News of this vulnerability emerges after a strain of malware called ‘Eskimo’ began targeting Steam users’ digital wallets back in the fall of 2014.