A serious issue in Steam allowed access to other users’ accounts

As a result of a configuration change a security issue allowed some Steam users to randomly see pages generated for other users for a period of less than an hour.

Bad news for the popular community of Steam gamers, some of the users are facing serious security issues. Several users online reported to be able to view other users’ account information. Numerous messages on Twitter, NeoGAF, and Reddit reported the problem highlighting that they were also able to access addresses and credit card data of other users.

“So, I went to go checkout on Steam after selecting a few games and I was taken to the checkout page which gave an error message, but still allowed me to select a payment method. When I went to choose a payment method, it opened the payment information forum like usual. Except, the information filled in wasn’t mine. I was for someone completely different than me that I’d never heard of before. Full name and address. The creditcard, thankfully, was not saved. As a IT security guy, this is some serious shit and could be a sign of a major vulnerability.” said a Reddit user.

The Valve company that owns the Steam platform confirmed the serious security, it was an internal error that the company has already fixed.

“Steam is back up and running without any known issues,” a company spokesperson said.

It seems that a wrong “configuration change” randomly let some Steam users view personal information of other users’ profile. The incident was limited to a one-hour period.

“We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users,” he added.

The incident is serious and could have serious repercussion of the users’ security, at the time I was writing it is not clear the number of the affected users. Users also faced other problems, including difficulties in logging to the platform.

On December 25th, several users noticed that Visiting the Steam website or store the platform was returning an error, although there was no impact on the gaming service. There’s still no official explanation, but one popular theory holds that Steam is incorrectly caching account pages and rendering them for other users.

In a message on Steam’s forum one of the moderators explained that the platform has not been hacked and added that the personal information were not visible to other users.

“We’ve gotten reports that people sometimes see other people’s account information on the account page. Valve has been made aware of this and are working on a fix.

Some frequently asked questions:
– No, Steam is not hacked
– Creditcard info and phone numbers are, as required by law, censored and not visible to users“

Valve has released a statement to gamespot about the incident.

“Valve has issued a statement regarding today’s issues. “Steam is back up and running without any known issues,” a Valve spokesperson told GameSpot. “As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”

Pierluigi Paganini

(Security Affairs – gaming, security issue)