Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Bug Security Games IT

Steam Bug Shows You Other Users' Account Details (kotaku.com) 92

An anonymous reader writes: The Steam game distribution platform is suffering from a particularly bad bug right now. If you log in and try to look at your account details, you're shown the details of another user's account — seemingly picked at random. This includes email address, last 4 digits of a phone number, whether SteamGuard (their two-factor authentication) is enabled, and the last 2 digits of an associated credit card. If you play a game, Steam will show you as being logged in as somebody else while in that game. Many users are being shown pages in other languages, as they are mistaken for players in different regions. This bug follows an apparent DDoS attack that took the service down for several hours. The bug doesn't seem to allow people to purchase games using a different account. That's good, though that means most, perhaps all players, are unable to buy games on Christmas during Steam's huge Winter Sale.
This discussion has been archived. No new comments can be posted.

Steam Bug Shows You Other Users' Account Details

Comments Filter:
  • Oh wow, Valve has simply turned Steam off for the moment.

    Merry Christmas, Valve guys.

  • In theory. That's just creepy.
  • promising DDoS [techworm.net]

    Who knows. Whatever it is it's too late to matter. Most people who were going to buy shit bought it before today. You can still play your games with this being broken. Although it is scary to see account details change (mine haven't but it did switch to Portugeuse).

    • Re: (Score:3, Informative)

      by Mashiki ( 184564 )

      According to Steam.DB it's a page caching issue [twitter.com], and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.

      Why anyone would post something from Kotaku and believe it to be trustworthy though is what I find funny in all of this. I'm surprised that Kotaku didn't try to blame white males and the patriarchy for the problems.

      • by waspleg ( 316038 )

        Yea, I saw that, but steamdb.info isn't steam (I donated money to them yesterday because they're awesome, though).

        I read something that supposedly they got DDoS'd this morning for 2 hours but who knows if that's true I was busy opening presents and eating ham and whatnot.

        The official post which just came out is pretty vague.

      • Re: (Score:1, Offtopic)

        by Nrrqshrr ( 1879148 )
        Ironically, kotaku is getting tame with their SJW-pandering with each passing day.
        Probably because they realized that alienating generally tech-savvy people who know what adblock is, to attract an audience that doesn't even play video games isn't a sound business plan.
        • by Anonymous Coward

          Ironically, kotaku is getting tame with their SJW-pandering with each passing day.
            Probably because they realized that alienating generally tech-savvy people who know what adblock is, to attract an audience that doesn't even play video games isn't a sound business plan.

          Confused as to how SJW's fit into this conversation, or even your post.

          • Re: (Score:2, Informative)

            by Mashiki ( 184564 )

            Confused as to how SJW's fit into this conversation, or even your post.

            Kotaku has a long history of pandering to the lowest common denominator when they publish an article. If they're not pandering and trying to blame something on xyz group to draw in clicks, they're running wild claiming that xyz group is the cause of the ills in the first place by just shoving it in there.

            • by Mashiki ( 184564 )

              I'm going to toss something else in here, this is the same organization that now no longer receiving any information from Bethesda or Ubisoft because of their actions. They're no longer invited to any demos, no E3 presentations nothing. [gamezone.com] They've spent the last 5+ years pissing on both of those companies games, on the developers themselves, and on individual people. All the while launching personal attacks, leaking information and yelling all over the place how "sexist/problematic/racist" xyz game(s) are b

        • Ironically, kotaku is getting tame with their SJW-pandering with each passing day.

          I'm curious as to your definition of "ironically".

          • by sumdumass ( 711423 ) on Friday December 25, 2015 @08:07PM (#51184245) Journal

            Don't get too upset. He graduated from high school with Alanis Morissette. Evidently, the class to graduate the year before them thought they were too self centered so for the senior prank, they tore every page in the dictionaries out that defined any word starting with the letter i. Some seniors glued copies of other pages defining words like team, you, them and so on in their place. Some seniors drew pictures of spiders and stick figures in dunce hats thinking they would be funny or something.

            Anyways, it left a generation not knowing the definition of Irony (no, it's not something that feels like metal or clothing your mom pressed).

            • About Alanis... Cosmic irony. Look it up.

            • by KGIII ( 973947 )

              (no, it's not something that feels like metal or clothing your mom pressed).

              Well, that's ironic.

              *whistles innocently*

            • That's fucking hilarious. You try to come off as so intelligent and informed, it is almost ironic that your Slashdot alias is sumdumass. I wish I could be there to see your face when you figure out that Alanis understands irony [reference.com] far better than you.
              • I wouldn't say far better or anything close to the sorts. You almost got there, you admitted it was hilarious but still couldn't get the joke. Of course the story about high school kids tearing out everything in the dictionary that starts with the letter i must be what you thought was intelligent and informed.

                People like you sadden me. But I'm still in the Christmas spirit so I will just wish you and your family well into the new year.

                • Imagine my surprise that you don't know what the phrase "started out" means.

                  "I wouldn't say far better or anything close to the sorts. "

                  That is because you are an idiot. You clearly claimed that Alanis doesn't know what irony means, proving that you don't (since she does.) Only you would claim that actually knowing something doesn't represent a far better understanding than not knowing. But I will say this: you are honest to a fault, at least as far as your Slashdot alias goes.

                  • No I did not clearly claim Alanis doesn't know what Irony means. I clearly claimed that a bunch of high school kids tore pages from a dictionary in an attempt to make a joke. Anything you are referring to other than that is your misguided imagination. Do you understand what that means? It is all in your head.

                    Now we can talk about your inability to see signs of mental disorder all day long if you want. I would start with pointing out that you cannot take a joke and for some incessant reason have to defend Al

                    • From your OP:

                      "Don't get too upset. He graduated from high school with Alanis Morissette."

                      Only a moron would claim "No I did not clearly claim Alanis doesn't know what Irony means." after writing that for all the world to see.

                    • Wow.. How daft can you be?

                      Ok, lets follow this thread, someone stated how stupid it was to link to kotaku and think it was trustworthy. He then said he was surprised how they didn't try to push the BS SJW crap along with it. The next poster said that kotaku is finding their business model doesn't fit with the SJW crap and has been backing off it. Kodaku is known for pushing the SJW bullshit but seems to be stepping away in favor of profits because the people they attract with the SJW bullshit don't get them

      • by Anonymous Coward on Friday December 25, 2015 @05:16PM (#51183623)

        According to Steam.DB it's a page caching issue, and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.

        In other words, Valve screwed up.

        Because short of some massive MITM attack, it means Valve's account servers are being sent through their caching server. Think about that for a moment - Valve's caching your account page - why? This is a page that has your personal information, and it's being cached by Valve's caching servers before they're being encrypted by the SSL edge device (most traffic is unencrypted, even the secure servers, while it travels on the internal company network - an SSL edge device/load balancer encrypts it before it hits the internet. This is why a caching server can actually cache it - as far as it's concerned, it's regular HTTP traffic).

        And even worse, that caching server, owned by Valve, is configured to only look at headers - it's not set up to simply not cache specific servers.

        There is NOTHING you or I could do to prevent this - it's a pretty epic screw up. One hopes that their credit card payment system isn't this lax - imagine purchasing a game and having your credit card payment cached. Looks like it's not just stores and restaurants, but internet e-commerce sites that can screw up as well.

        • by Gumshoe ( 191490 ) on Friday December 25, 2015 @06:38PM (#51183965) Journal

          Without knowing more details, I think your analysis sounds correct.

          What I want to know is, why isn't this information encrypted apart from the SSL connection? There should be a public-private key pair for every customer managed by the Steam infrastructure and which is used to encrypt these sensitive details. In other words, personal information is encrypted long before it gets anywhere near the caches. That way, if there is a caching problem, the problem is minimal.

          I don't like the idea of relying on SSL to protect this information.

          Shrugs. I don't know (none of us do at this point) but I'll be very interested to hear what the cause of all this is.

        • by Anonymous Coward

          They are not going to be dumb enough to do that. It's fairly obvious that what happened was the result of the page submission (i.e. post-CC data submission) was cached and was showing to the wrong people. It's even probable that they are using Varnish or nginx and just misconfiguring the hash (i.e. not setting it per-unique session by accident).

          You are completely wrong about using HTTP vs HTTPS, reverse proxies support HTTPS just fine and both can configured with the private key (or different private keys t

      • by Anonymous Coward

        Ah ok, makes sense that it was a SystemD problem.

      • by phorm ( 591458 )

        Sounds like a likely enough explanation.. Configuring caching correctly for a site with mixed content can often be a bit of a bitch. Steam probably uses a lot of caching in general, and may turn things up during the big sales, so if somebody misconfigured, for example, mod_cache you could easily get bugs like this where users end up seeing others' details. I remember years back Apache on RHEL changed the way certain options for caching behaved, which bit a number of people in unexpected ways.

      • by Anonymous Coward

        PSA: If you can't talk about cache control headers without devolving into a rant about "SJWs," no one is ever going to take you seriously.

    • by izat ( 3962693 )
      My guess is Steam reconfigured their caching servers in an attempt to mitigate the DDoS attack and accidentally screwed things up (caching signed-in requests).
  • by waspleg ( 316038 ) on Friday December 25, 2015 @04:50PM (#51183481) Journal

    from a community mod [steamcommunity.com]

    They're going around locking topics like whackamole now.

    Here's the text if you're leery:

    Account information incorrect
    We've gotten reports that people sometimes see other people's account information on the account page. Valve has been made aware of this and are working on a fix.

    Some frequently asked questions:
    - No, Steam is not hacked

    - Creditcard info and phone numbers are, as required by law, censored and not visible to users

    • by Anonymous Coward

      And that is why Linux is so much safer: my steam hasn't been working since the nvidia update over a month ago. Everything Linux does is a security feature :3

    • Maybe email addresses should be obscured too, just a thought...
  • by Anonymous Coward

    If you login to check if it's broken, you're account details could be cached for someone else to view. If you don't login, they won't be cached.

  • I do hope the scriptkiddies who ddossed it (and the other major gaming networks) are being found and send to prison... (if it were up to me, they should even get their heads smashed in)..
  • Just another reason that Steam is awful. This is what happens when you put all your eggs in one basket. Who thought it was a good idea to have this ugly, buggy, bloated, and now apparently insecure, program installed alongside every single PC release? And the worst part is that there is no alternative. Origin only offers EA games, and GOG doesn't have many (if any) new releases.

    I really can't wait for another service to come along and knock Steam off their pedestal. Maybe then it will force Valve to get the

    • Comment removed based on user account deletion
      • Oh boo bloody hoo, the servers were down for less than an hour, during the most hectic sale they have each year

        It's not just this, trust me. There's a whole host of reasons why Steam is awful. Too many for me to list them all in detail, although most of them can be summed up as "bad customer support". But I know that to try and change your opinion would be futile, enjoy defending Valve. I'm sure they really appreciate you.

    • Comment removed based on user account deletion
  • ... They ask every tine I start steam... Is this your email address, please confirm, so I do then then next time I start it... Is this your mail address! For security :)
  • Why does Valve (as well as other vendors) hold on to CC info? After completing a transaction the vendor ought to throw that info away. Yes, it is annoying to type the numbers in again each time, but that is much better compared to having CC info stolen. Where are the legislators when we need them? Storing CC info beyond transaction completion should not be permitted for a vendor. Likewise, using the SSN for anything else other than dealing with federal and state departments ought to be disallowed as well. W

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...