
Steam: Seeing other people's accounts when logged in - pbz
http://www.neogaf.com/forum/showthread.php?t=1162196
======
sakopov
I don't get it. How can a company claim to hire the best and the brightest,
have some of the toughest interviewing processes in the industry and yet
produce a clunky slow piece of shit software that's been dragging its feet for
nearly a decade resulting in your account information splattered all over
someone's screen. What an embarrassment.

~~~
wlesieutre
Flip side of the "flat, work on what you're interested in" company hierarchy.

If nobody goes to work for Valve thinking "I really love writing online stores
wrapped in native apps with friends lists and voice chat bolted on the side,"
they don't progress very quickly.

~~~
yareally
I imagine the list of those that want to also fix bugs and performance issues
for such apps at Valve is even smaller. Just my guess from being an active
steam user for about a decade.

------
meesterdude
For such a large company with so many developers, it's depressing how super
crappy the steam client is, on both OSX and windows. Maybe it's "good enough"
but it's clearly unpolished, and has been for years. Things like this do NOT
instill any confidence that they are competent or care. Anytime I try to do
something in steam, nothing ever seems to work.

~~~
minimaxir
It's worth noting that Valve infamously has a flat company hierarchy:
[http://www.bbc.com/news/technology-24205497](http://www.bbc.com/news/technology-24205497)
(2013)

The flip side of having a "no leader" organization is no assignment of
responsibilities.

~~~
ChipWolf
I can imagine someone has to mediate disagreements. There has to be some
workflow.

~~~
nailer
Not necessarily. A couple of friends of mine work for a well known flat
hierarchy company and things that nobody wants to take responsibility for that
would typically be handled by an HR manager - eg, the company structure has
changed and all H1Bs are now working illegally - aren't handled at all.

If it's not their responsibility, and they don't believe in the risk of the
company getting caught, they don't care.

------
minimaxir
Reddit thread with more discussion:
[https://www.reddit.com/r/Games/comments/3y7maa/something_is_...](https://www.reddit.com/r/Games/comments/3y7maa/something_is_really_wrong_with_steam_be_careful/)

To get an indication how bad this is, the default Steam account page was
_showing other people 's accounts_.

EDIT: Steam fully down for now. If you had a Steam Account, I recommend
checking email/credit card on any linked accounts. (and, as always, sign up
for 2FA if you haven't!)

EDIT2: Steam Community Moderator response (not linked):

\- No, Steam is not hacked

\- Creditcard info and phone numbers are, as required by law, censored and not
visible to users

~~~
pbz
And the language randomly changes if you keep refreshing; maybe because I'm
being logged in as a different person every time I refresh?

~~~
TophWells
Quite possibly, yes - if you can find the page that gives "your" account
information, the language often matches the location.

I should really stop poking around, but this is a fascinatingly bizarre error.
Has anyone seen anything like it before?

~~~
xj9
I had a similar problem with a site I worked on a couple of years back.
Setting headers to disable caching did the trick. Annoying, but effective.

------
Santzes
Apparently it's a caching bug - if you add some random query parameters like
?r=123456789 to the url you get the correct page.

~~~
benwilber0
yeah pretty obvious caching bug. im sure they accidentally told their cache to
ignore cookies or something stupid.

~~~
geofft
Amazon CloudFront all but encourages you to ignore cookies and query strings
in caching. This is exactly what you want in some cases, like images or CSS,
but it seems like a very dangerous option, and there's no scary text around
the option.

~~~
ChipWolf
Valve would have to entirely rewrite their current caching system in order to
repair this which they've avoided for so long.

------
danso
As an OSX user who bought the Steam controller early, Valve gave me all of
their current games plus put me on their Friends and Family list, which gifts
me all of Valve's future games (ha, if they ever make them)...this was because
the controller was mostly non-functional on OSX during the early launch...I
wonder what the apology gift will be this time around?

Edit: I should note that this gift _totally_ pacified me...but probably cost
Valve virtually nothing. To this day I still don't know if my steam controller
experience on OSX is actually up to par with Windows/Steam users (beta client
release notes feature OSX controller fixes frequently) because, who cares, I'm
getting Half Life 3 free! OTOH there's just a handful of OSX Steam users
relative to Windows, and even fewer who were early adopters of Steam
software...I probably saw 5 other users in the same boat talk about the gift
on Reddit.

------
xchaotic
I bet they had thought, let's turn up caching to the max so we don't get
performance problems over Christmas.

------
shiado
This is an extremely serious breach of privacy. I hope there is massive legal
fallout for Valve. You simply can't get away with leaking that kind of
sensitive information. In the end I am guessing the blame will be shifted onto
the group that was DDOSing steam earlier today instead of Valve running a
configuration where this type of breach was possible.

~~~
CaptSpify
> In the end I am guessing the blame will be shifted onto the group that was
> DDOSing steam earlier today instead of Valve running a configuration where
> this type of breach was possible.

I doubt it. The "fail-state" for their website should be to just not work, vs
expose other people's credentials. If it was proven that the attackers were
able to change server configs, that'd be one thing, but that doesn't seem to
be the case.

------
tyfon
This reminds me when one norwegian was a victim of a cache error in the yearly
release of tax information. Everyone that logged in got his page until they
shut it down.

Although this steam error is a bit different with everyone getting random
users, it seems likely that it is along the same lines. Over stressed servers
maybe?

[http://www.tu.no/it/2012/03/23/altinn-feilen-er-
funnet](http://www.tu.no/it/2012/03/23/altinn-feilen-er-funnet) (Norwegian)

------
SignMeTheHELLUp
Can anyone confirm, was it possible for someone to view data of a specific,
chosen account or were people just being logged into random accounts.

In other words, could an attacker exploit this bug to "dox" a specific target?

~~~
renekooi
It was random. According to SteamDB[1] it was a caching issue that ended up
sending random pages to the wrong people.

Possible explanation from unknown source:
[https://www.reddit.com/r/Steam/comments/3y7le9/im_logged_in_...](https://www.reddit.com/r/Steam/comments/3y7le9/im_logged_in_as_someone_random_on_steam/cyb88ym)

[1]:
[https://twitter.com/SteamDB/status/680490823226671104](https://twitter.com/SteamDB/status/680490823226671104)

~~~
SignMeTheHELLUp
Thanks. Based on that information any privacy-conscious users should simply
not use Steam or the Steam website until the bug is fixed. By not using Steam,
their pages won't end up in cache and will not be leaked to others.

~~~
ryanlol
Yeah, but there's other bugs that do let you do that (pull peoples account
info). I've found a plenty of exploitable vulnerabilities on steam but stopped
reporting them after their support told me to go post "suggestions" on their
forums instead.

~~~
XMPPwocky
Email security@valvesoftware.com; I've reported loads of things there (some
serious, some pretty trivial), and they're actually very good about responding
to things these days. Steam Support is totally useless, though.

------
anyfoo
I just tried it out after reading this, it's pretty crazy. I am clearly logged
in with my own credentials, but if I go to "Account Details", I see the
details of another user, which sometimes changes.

As indicated in article, if I click on "Purchase History" or the link below, I
sometimes see other user's data as well.

------
bagels
Update on the article indicates they shut the site down.

I was also confused when I started getting random pages in other languages,
definitely stopped me from buying a game today.

------
pbz
This is the kind of bug (assuming it's not a security breach) that would
warrant a shutdown.

------
baby
Not so long ago you could reset anyone's account password by just entering an
empty reset token.

I don't know what to think of steam. Is that what happens when an important
piece of software is coded by game developers? Or when a company doesn't have
a bug bounty?

~~~
minimaxir
Context behind reset-anyone's-password: [http://kotaku.com/steam-accounts-
hijacked-following-security...](http://kotaku.com/steam-accounts-hijacked-
following-security-lapse-1720288836)

Additionally, Steam was vulnerable to Heartbleed for a brief period of time:
[http://www.pcinvasion.com/steam-has-security-
vulnerability-d...](http://www.pcinvasion.com/steam-has-security-
vulnerability-do-not-use-until-fixed)

------
JorgeGT
Absolute silence from VALVe during a massive data breach, superb handling of
the situation!

~~~
rincebrain
Someone upstream linked a moderator's quick notification that it's not someone
having compromised their servers, and presumably we'll see some level of post-
mortem after the fact.

After the security issue a while ago where they forced everyone to change
their passwords, I'm honestly not going to be concerned about their quiet
until a while after things are back to normal.

~~~
minimaxir
Note that data breach != "someone hacked us"

------
mastax
I'm surprised to see unanimus hate for the steam client on here. I've never
had any problems with steam. Downloads are fast, the client is easy to use and
not "slow and clunky" the voice chat works well, the new community features
for games are great. Actually my only complaint is that there's no
'unsubscribe all' button on steam workshop.

Is my experience entirely unique or is everyone remembering the old crappy
steam client from 2004 (which was before I used steam)?

Edit: Or, more likely, some third option in which case I'd like to hear your
thoughts.

------
sergiotapia
[http://steamcommunity.com/discussions/forum/0/45860425443147...](http://steamcommunity.com/discussions/forum/0/458604254431478327/)

\---

Account information incorrect We've gotten reports that people sometimes see
other people's account information on the account page. Valve has been made
aware of this and are working on a fix.

Some frequently asked questions: \- No, Steam is not hacked

\- Creditcard info and phone numbers are, as required by law, censored and not
visible to users

\---

Wow, steam as always with the killer customer support.

~~~
minimaxir
It should be noted that this is from a moderator, and is not a _official PR
response_.

------
pbz
TheVerge:

[http://www.theverge.com/2015/12/25/10665814/valve-steam-
holi...](http://www.theverge.com/2015/12/25/10665814/valve-steam-holiday-sale-
security-
problems?utm_campaign=theverge&utm_content=chorus&utm_medium=social&utm_source=twitter)

------
r721
>Valve has issued a statement regarding today's issues.

>"Steam is back up and running without any known issues," a Valve spokesperson
told GameSpot. "As a result of a configuration change earlier today, a caching
issue allowed some users to randomly see pages generated for other users for a
period of less than an hour. This issue has since been resolved. We believe no
unauthorized actions were allowed on accounts beyond the viewing of cached
page information and no additional action is required by users."

[http://www.gamespot.com/articles/steam-issue-allowing-
access...](http://www.gamespot.com/articles/steam-issue-allowing-access-to-
other-users-account/1100-6433371/)

------
ChuckMcM
Very bad Christmas present for Valve it seems. Which is sad since I picked up
Age of Empires and now can't login to get it on my system.

------
coderzach
Huh, I saw all the games in my cart disappear, I wonder if someone else
mysteriously ended up with a cart full of games.

------
ChuckMcM
Well at 3:15 PST there is some progress, now I can get to the store site again
but it complains of too many failed logins. I wonder how long that will take
to clear up.

------
CaptSpify
I wonder how many new accounts GOG will get out of this?

~~~
em3rgent0rdr
gog is great, but they don't have most newer games (although they get more
everyday). Humble Bundle store does on the otherhand have most recent non-DRM
games found on steam.

------
Xelom
If no one at Valve choosing to work on Steam platform. I volunteer to work on
it!

------
eswat
They’ve been complacent for too long on polishing up the non-Windows and
mobile clients. Their recent push to use the mobile app as an authenticator
and the bugs surrounding that is a good example. I’m not at all surprised an
issue like this has happened.

