Steam Bug Shows You Other Users' Account Details (kotaku.com) 92
An anonymous reader writes: The Steam game distribution platform is suffering from a particularly bad bug right now. If you log in and try to look at your account details, you're shown the details of another user's account — seemingly picked at random. This includes email address, last 4 digits of a phone number, whether SteamGuard (their two-factor authentication) is enabled, and the last 2 digits of an associated credit card. If you play a game, Steam will show you as being logged in as somebody else while in that game. Many users are being shown pages in other languages, as they are mistaken for players in different regions. This bug follows an apparent DDoS attack that took the service down for several hours. The bug doesn't seem to allow people to purchase games using a different account. That's good, though that means most, perhaps all players, are unable to buy games on Christmas during Steam's huge Winter Sale.
Turned off (Score:2)
Oh wow, Valve has simply turned Steam off for the moment.
Merry Christmas, Valve guys.
Actually (Score:2)
They haven't. Which is the problem. Just look at the Discussions tab under Steam Discussions. It's total chaos.
Re:Actually (Score:4, Funny)
You fool! This is the Combine's first preinvasion tactic!
Disorient, Divide and Conquer. It's right there in the G-Man's playbook, clear as crystal!
So you can meet yourself in-game ? (Score:1)
Re: (Score:2)
People are speculating it's these shit stains (Score:2)
promising DDoS [techworm.net]
Who knows. Whatever it is it's too late to matter. Most people who were going to buy shit bought it before today. You can still play your games with this being broken. Although it is scary to see account details change (mine haven't but it did switch to Portugeuse).
Re: (Score:3, Informative)
According to Steam.DB it's a page caching issue [twitter.com], and the server not obeying cache control headers. Which wouldn't surprise me, everytime there's a holiday sale of some kind weird things happen on Steam.
Why anyone would post something from Kotaku and believe it to be trustworthy though is what I find funny in all of this. I'm surprised that Kotaku didn't try to blame white males and the patriarchy for the problems.
Re: (Score:2)
Yea, I saw that, but steamdb.info isn't steam (I donated money to them yesterday because they're awesome, though).
I read something that supposedly they got DDoS'd this morning for 2 hours but who knows if that's true I was busy opening presents and eating ham and whatnot.
The official post which just came out is pretty vague.
Re: (Score:1, Offtopic)
Probably because they realized that alienating generally tech-savvy people who know what adblock is, to attract an audience that doesn't even play video games isn't a sound business plan.
Re: (Score:1)
Ironically, kotaku is getting tame with their SJW-pandering with each passing day.
Probably because they realized that alienating generally tech-savvy people who know what adblock is, to attract an audience that doesn't even play video games isn't a sound business plan.
Confused as to how SJW's fit into this conversation, or even your post.
Re: (Score:2, Informative)
Confused as to how SJW's fit into this conversation, or even your post.
Kotaku has a long history of pandering to the lowest common denominator when they publish an article. If they're not pandering and trying to blame something on xyz group to draw in clicks, they're running wild claiming that xyz group is the cause of the ills in the first place by just shoving it in there.
Re: (Score:2)
I'm going to toss something else in here, this is the same organization that now no longer receiving any information from Bethesda or Ubisoft because of their actions. They're no longer invited to any demos, no E3 presentations nothing. [gamezone.com] They've spent the last 5+ years pissing on both of those companies games, on the developers themselves, and on individual people. All the while launching personal attacks, leaking information and yelling all over the place how "sexist/problematic/racist" xyz game(s) are b
Re: (Score:2)
Ironic how the "it's actually about ethics in games journalism" people really just seem to want journalists to attend industry shindigs and write whatever the damn publishers tell them to.
Ironic that the people who spout the above, don't seem to be able to figure out that a company has the right to refuse disclosing information to anyone, especially to an outlet that goes out of it's way to damage it's brand.
Re: (Score:2)
I'm curious as to your definition of "ironically".
Re:People are speculating it's these shit stains (Score:4, Funny)
Don't get too upset. He graduated from high school with Alanis Morissette. Evidently, the class to graduate the year before them thought they were too self centered so for the senior prank, they tore every page in the dictionaries out that defined any word starting with the letter i. Some seniors glued copies of other pages defining words like team, you, them and so on in their place. Some seniors drew pictures of spiders and stick figures in dunce hats thinking they would be funny or something.
Anyways, it left a generation not knowing the definition of Irony (no, it's not something that feels like metal or clothing your mom pressed).
Re: (Score:1)
About Alanis... Cosmic irony. Look it up.
Re: (Score:1)
(no, it's not something that feels like metal or clothing your mom pressed).
Well, that's ironic.
*whistles innocently*
Re: (Score:2)
Re: (Score:2)
I wouldn't say far better or anything close to the sorts. You almost got there, you admitted it was hilarious but still couldn't get the joke. Of course the story about high school kids tearing out everything in the dictionary that starts with the letter i must be what you thought was intelligent and informed.
People like you sadden me. But I'm still in the Christmas spirit so I will just wish you and your family well into the new year.
Re: (Score:2)
That is because you are an idiot. You clearly claimed that Alanis doesn't know what irony means, proving that you don't (since she does.) Only you would claim that actually knowing something doesn't represent a far better understanding than not knowing. But I will say this: you are honest to a fault, at least as far as your Slashdot alias goes.
Re: (Score:2)
No I did not clearly claim Alanis doesn't know what Irony means. I clearly claimed that a bunch of high school kids tore pages from a dictionary in an attempt to make a joke. Anything you are referring to other than that is your misguided imagination. Do you understand what that means? It is all in your head.
Now we can talk about your inability to see signs of mental disorder all day long if you want. I would start with pointing out that you cannot take a joke and for some incessant reason have to defend Al
Re: (Score:2)
Only a moron would claim "No I did not clearly claim Alanis doesn't know what Irony means." after writing that for all the world to see.
Re: (Score:2)
Wow.. How daft can you be?
Ok, lets follow this thread, someone stated how stupid it was to link to kotaku and think it was trustworthy. He then said he was surprised how they didn't try to push the BS SJW crap along with it. The next poster said that kotaku is finding their business model doesn't fit with the SJW crap and has been backing off it. Kodaku is known for pushing the SJW bullshit but seems to be stepping away in favor of profits because the people they attract with the SJW bullshit don't get them
Re:People are speculating it's these shit stains (Score:5, Informative)
In other words, Valve screwed up.
Because short of some massive MITM attack, it means Valve's account servers are being sent through their caching server. Think about that for a moment - Valve's caching your account page - why? This is a page that has your personal information, and it's being cached by Valve's caching servers before they're being encrypted by the SSL edge device (most traffic is unencrypted, even the secure servers, while it travels on the internal company network - an SSL edge device/load balancer encrypts it before it hits the internet. This is why a caching server can actually cache it - as far as it's concerned, it's regular HTTP traffic).
And even worse, that caching server, owned by Valve, is configured to only look at headers - it's not set up to simply not cache specific servers.
There is NOTHING you or I could do to prevent this - it's a pretty epic screw up. One hopes that their credit card payment system isn't this lax - imagine purchasing a game and having your credit card payment cached. Looks like it's not just stores and restaurants, but internet e-commerce sites that can screw up as well.
Re:People are speculating it's these shit stains (Score:4, Insightful)
Without knowing more details, I think your analysis sounds correct.
What I want to know is, why isn't this information encrypted apart from the SSL connection? There should be a public-private key pair for every customer managed by the Steam infrastructure and which is used to encrypt these sensitive details. In other words, personal information is encrypted long before it gets anywhere near the caches. That way, if there is a caching problem, the problem is minimal.
I don't like the idea of relying on SSL to protect this information.
Shrugs. I don't know (none of us do at this point) but I'll be very interested to hear what the cause of all this is.
Re: (Score:1)
Understood. However, I would say that encrypting this sort of personal information on a per-customer basis is worth the resource hit. We shouldn't want that information cached even by accident.
Re: (Score:1)
Re: (Score:1)
They are not going to be dumb enough to do that. It's fairly obvious that what happened was the result of the page submission (i.e. post-CC data submission) was cached and was showing to the wrong people. It's even probable that they are using Varnish or nginx and just misconfiguring the hash (i.e. not setting it per-unique session by accident).
You are completely wrong about using HTTP vs HTTPS, reverse proxies support HTTPS just fine and both can configured with the private key (or different private keys t
Re: (Score:1)
Ah ok, makes sense that it was a SystemD problem.
Re: (Score:1)
Sounds like a likely enough explanation.. Configuring caching correctly for a site with mixed content can often be a bit of a bitch. Steam probably uses a lot of caching in general, and may turn things up during the big sales, so if somebody misconfigured, for example, mod_cache you could easily get bugs like this where users end up seeing others' details. I remember years back Apache on RHEL changed the way certain options for caching behaved, which bit a number of people in unexpected ways.
Re: People are speculating it's these shit stains (Score:1)
Mod_cache? Please. I'd be surprised if they weren't using nginx as an SSL capable caching server doing SSL end to end or a pound/varnish combo (again with the option of SSL both directions)
Re: (Score:1)
PSA: If you can't talk about cache control headers without devolving into a rant about "SJWs," no one is ever going to take you seriously.
Re: (Score:2)
Here's some official words... (Score:3)
from a community mod [steamcommunity.com]
They're going around locking topics like whackamole now.
Here's the text if you're leery:
Re: Here's some official words... (Score:2, Funny)
And that is why Linux is so much safer: my steam hasn't been working since the nvidia update over a month ago. Everything Linux does is a security feature :3
Re: (Score:2)
Re: (Score:1)
They don't have a username separate from an email address so that they can salt/hash the email address and not store it in plain text? I'm no guru or anything but that's what I'd look into if I were going to set something like this up.
Re: (Score:2)
No, hashing would prevent them from getting the plaintext e-mail address which is needed for sending e-mail, like verification e-mail for trades, receipts for buying, et cetera.
What they should not do is display the e-mail address to the user unless he enters the account password first. E-mail addresses are confidential.
Re: (Score:1)
That's what I mean. Hash and salt the email address, use a username as the token, and unhash email only after securely logged in. In other words, I was saying, using the email as the identifier is a bad idea (I think?) if they can avoid it. That way, if the DB is broken, stolen, or whatnot - they just get the hashed and salted email address and it means nothing to them no matter how many rainbow tables they've got access to.
(I'm no guru or anything but I've been listening to you guys for years.) If I were g
Re: (Score:1)
IOW - Can't the UID be separate and just use that to unhash the email address and send the verification/address change/confirmation emails to it? It doesn't seem unworkable to me. I may be missing something, however. I did mention, I am no guru. Thus the question.
Re: (Score:2)
That's what I mean. Hash and salt the email address, use a username as the token, and unhash email only after securely logged in.
There is no "unhash". Hashing is a one-way mechanism.
If you hash kgiii@somewhere.com you may get a string like 858248e6afced43bef32d31292e79a4ff1606d0344154f7acf6b1e5e, but there is no way except brute force cracking to get from that string to your e-mail address.
That's the entire purpose of hashing. When a server stores your password in hashed format, they do not know your password. They can't retrieve it for you. Which means an intruder can't get it either. But they can verify that when you enter yo
Re: (Score:1)
Ah! I get it now. I think. Wait, no I don't... WTF?
I took a few minutes to do a search and it led me to StackExchange. Pfft... They let *ME* give answers there, so I'll be damned if I trust 'em. However, if I'm reading correctly, it looks like it may still be possible but a rather futile effort?
My thinking was:
UUID = KGIII
Password = somelongpassword
Email = kgiii@example.com
Where UUID is the ID (and not email) and both password and email are hashed & salted.
I'm missing something and I should make it very
Re: (Score:1)
I am trying to learn. Well, trying to make sense of it. Well, I was. I got it now (I think). I read about it and it just didn't want to click. So, I read the wiki page and I think I get it. Sheesh. You guys have taught me a lot. Hell, I like learning the shit you guys seem to all know. There's much that I don't know and I'm actually kind of glad that I don't know it 'cause it'd suck to know everything. It'd be pretty boring, I'd imagine. First you bitch if they don't know, then you bitch if they ask a quest
Re: (Score:2)
Two things, ignore the troll and.
Close enough.
Re: (Score:1)
Much appreciated. ;-) I learn lots of stuff here. That's why I come here. Well, that and I know other stuff. I figure it works out in the end.
Thanks again.
Re: (Score:2)
Those are shit ways to program, granted.
But it could just be that one of their database instances is out of sync with another, causing one request for a webpage to retrieve several different (and then cached) bits of information for entirely different users. What was user 27 on one database might not be on the other, so you end up logging in as you, but getting Fred's language, and George's wishlist, etc.
Just because you can think of bad ways to program, doesn't mean they are the only possible cause. Stea
Re: (Score:2)
Are you kidding? It's the worst possible disaster! They could find out about my Barbie Pony Farm play time!
Don't login until it's fixed.. (Score:1)
If you login to check if it's broken, you're account details could be cached for someone else to view. If you don't login, they won't be cached.
get the scriptkiddies (Score:1)
Add it to the pile (Score:2)
Just another reason that Steam is awful. This is what happens when you put all your eggs in one basket. Who thought it was a good idea to have this ugly, buggy, bloated, and now apparently insecure, program installed alongside every single PC release? And the worst part is that there is no alternative. Origin only offers EA games, and GOG doesn't have many (if any) new releases.
I really can't wait for another service to come along and knock Steam off their pedestal. Maybe then it will force Valve to get the
Re: (Score:3)
Re: (Score:1)
Oh boo bloody hoo, the servers were down for less than an hour, during the most hectic sale they have each year
It's not just this, trust me. There's a whole host of reasons why Steam is awful. Too many for me to list them all in detail, although most of them can be summed up as "bad customer support". But I know that to try and change your opinion would be futile, enjoy defending Valve. I'm sure they really appreciate you.
Re: (Score:2)
And still... (Score:1)
Why does Valve have CC info (Score:1)