Valve Software has reportedly patched a vulnerability in the popular online Steam gaming platform that enabled account hijacking through its password reset mechanism.

Kotaku, a popular blog among gamers, said that a number of prominent Steam accounts and Twitch streamers were stolen or accessed remotely. Twitch is a live video streaming platform that can be linked to a Steam account.

The flaw was patched during the weekend, according to a number of reports. Kotaku reposted a statement from Valve that said some Steam accounts may have been affected between July 21 and July 25. A request for confirmation from Valve was not returned prior to publication.

According to the Valve statement, the company said it has reset passwords for accounts with “suspicious” changes during those five days and those affected will be notified by email.

A gamer with the handle “Elm Hoe” demonstrated the vulnerability. He shows that through the platform’s password and account name reset tool, an attacker would merely have to enter the user name of an account they wish to access, and ask for a reset code to be sent to the account’s email address. The next screen asks for the user to enter the recovery code sent to the email address in a field provided. Instead, by hitting continue without entering the code, the attacker is taken directly to the password reset screen and asked to enter and confirm a new password. While the old password is never shared, the attacker is able to reset the password and take control of the targeted account.

Gamers on the Steam platform sometimes spend significant money buying enhancements and features for specific games; this vulnerability puts all of that in jeopardy.

In addition to the automatic password resets initiated by Valve, the company also placed a seven-day ban on any account accessed from a new device between July 21 and 25, and a five-day ban on devices requesting password changes.

Steam does offer a two-factor authentication mechanism called Steam Guard, which adds a mobile phone number to a Steam member’s account through which a Steam Guard code is sent to the user to be used as a second form of authentication.

The popularity of the Steam platform has not gone unnoticed by hackers. In April 2014, researchers discovered a phishing attack that managed to circumvent Steam Guard protections.

In 2012, a much more serious issue in the Steam URL protocol handler was uncovered by researchers at ReVuln. The vulnerabilities enabled attackers to inject code into URLs in order to run code on a remote machine. Most browsers don’t ask for user permission before interacting with the Steam client, and those that do, don’t explain there could be a security issue. As a result, users could be tricked into clicking on a malicious steam:// URL or redirect browsers via javascript to a malicious site, ReVuln said.

Categories: Vulnerabilities, Web Security