Recent Steam Security Flaw Allowed Anyone to Change Your Password

A serious security flaw in Valve’s password reset feature has allowed anyone to reset your password — even without access to your email. The accounts of numerous clients have been compromised recently, according to ExtremeTech.

Normally, if you forget your Steam password, Valve sends you a one-time-use code over email that you can use to reset your password. This is a standard procedure used by many web sites.  However, it was discovered last week that the site wasn’t actually checking to verify that your code was valid. If you somehow just didn’t enter anything during the authentication step, the client would still allow you to reset the password.

Needless to say, this has caused a lot of alarm among Steam’s users.  However, the situation isn’t quite as bad as it might sound.  Even in the case of such an unauthorized use of your account, Steam’s system still places a 5-day moratorium on all transactions after a password is reset.  So, any malicious intruder would have to wait a while before doing any damage, and hopefully you would notice the situation before it became a problem.

Valve has fixed the security flaw now, so don’t worry if you haven’t already been hit.  However, it is a concern that such a thing could happen at all, in our modern security-conscious online world.  If nothing else, it teaches us to keep an eye on our online accounts regularly.