Over the weekend, game publisher Valve patched a vulnerability that let user accounts have their passwords reset without proper validation.
The coding error was simplicity in itself. After the usual “forgot password” preliminaries, a user is supposed to get an e-mail with a reset code, and use that code to take them to the “new password” page.
Only: as Hoe showed, the server wasn’t validating the codes. If he left the “enter the code” field empty, he could click through to the “new password” page.
Since users can easily see the userid of other players, it was trivial to hijack any other users account.
As he points out, now Valve is aware of the issue, anyone trying the hijack would be risking a permanent ban.
Valve has fixed the bug, and told Kotaku it would notify users if it believed their passwords showed suspicious password reset activity. It claimed its Steam Guard option, if used, would protect users against the bug.
Master Herald says the bug affected a number of “prominent Twitch streamers” whose accounts are currently locked down (because Valve’s triage response was to put a five-day ban on accounts whose passwords were reset).
Reddit, naturally, is lit up over the issue.