Valve’s Steam, an American video game development and digital distribution company headquartered in Bellevue, Washington, United States which has millions of accounts all over the world, has fixed a loophole which could allow an attacker easily take over an arbitrary account by using account’s username.
According to a report published in Master Herald, a flaw in the Steam’s password recovery feature was the reason behind the exploitation. As per a demonstration in a video posted on YouTube, the feature sends a recovery code to the registered e-mail address linked with the account. The code needs to be entered on a form through the Steam website.
However, the attacker could skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog. Although, the company has fixed the loophole, the vulnerability had done a lot of damages many users’ account.
“Now, the users, who actively trade on the Steam Market, are worried as they think their accounts have been compromised.
However, it is said that the Valve hasn’t commented on the situation yet.
The company has urged its users to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.
It is important to note that the information contained in the e-mail itself is not necessary to carry out the attack.
“Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them,” the report added.