Hacker News new | comments | ask | show | jobs | submit login
Steam: Seeing other people's accounts when logged in (neogaf.com)
173 points by pbz on Dec 25, 2015 | hide | past | web | favorite | 105 comments

I don't get it. How can a company claim to hire the best and the brightest, have some of the toughest interviewing processes in the industry and yet produce a clunky slow piece of shit software that's been dragging its feet for nearly a decade resulting in your account information splattered all over someone's screen. What an embarrassment.

Part of this might be that Valve doesn't assign projects - everyone chooses their own. With so much cool stuff going on, it's easy to ignore less fun, less visible projects, such as fixing the Steam store.


I'd love to fix steam!

That's great jay but what we're really looking for is people who can design hats

Flip side of the "flat, work on what you're interested in" company hierarchy.

If nobody goes to work for Valve thinking "I really love writing online stores wrapped in native apps with friends lists and voice chat bolted on the side," they don't progress very quickly.

I imagine the list of those that want to also fix bugs and performance issues for such apps at Valve is even smaller. Just my guess from being an active steam user for about a decade.

"Native" being a really relative word here.

Remember, these are people who are passionate about games, not necessarily games commerce platforms. It may be that most people, the best and brightest, choose not to wheel their desk to the Steam pod to do tedious, yet necessary, work to upgrade and polish it.

Valve puts more resources into Steam than all their games combined. Steam is their main platform, I had a chance to speak about several people who I know for a fact interned there (one stayed on as an employee) it's really not as chaotic and arbitrary as people think, you do not get to do just what ever the fuck you want regardless of what the scuttlebutt says.

They properly programmed the website so you can't abuse this occurrence, as well as it might be the fault of their cache provider. Although they do have some problems, it is without a doubt they hire extremely smart people if you watch any of the talks people from Valve give, especially concerning their marketplaces. They definitely have lots of problems with their policies, but they are definitely not bad at programming.

Didn't Facebook had a similar bug? shit happens, at least all of their other processes are good enough to compensate for this so while there is some (substantial) information leakage it's not exploitable which is more than you can say about Facebook's many API bugs over the years.

If you think that they do such a shitty job, you probably should enter the market as a competitor...

Steam has numerous competitors but by being the first major player they carry a huge inertial advantage. Having a huge library of games is a REALLY big incentive for people to stay there.

I've been thinking about it and honestly the only way I can think a new competitor could breach into a significant market share, short of Valve screwing up completely, is to offer to duplicate a user's library across to their own platform.

I wonder if you could make a client that also wraps over Steam? So you have your own store and library and messaging system and everything, but you also log into your Steam account under the hood and it mirrors all your Steam things. So you can launch your Steam games and talk to your Steam friends, but have a nicer client.

a lot of games have steam DRM in them, making them unplayable unless the steam client is open and logged in.

so, this couldn't work unless steam creates some kind of API to get around the DRM, which they obviously won't.

I was under the impression that many games, under Linux, could only be played using Steam.

For such a large company with so many developers, it's depressing how super crappy the steam client is, on both OSX and windows. Maybe it's "good enough" but it's clearly unpolished, and has been for years. Things like this do NOT instill any confidence that they are competent or care. Anytime I try to do something in steam, nothing ever seems to work.

Steam has always been like this. When it came out, the client was worse than the competition in most technical aspects. It was slow, ugly and full of bugs, but it still ate the entire market, because it was good enough in the areas that mattered to users, like already being installed on everyone's computers, and having a relatively invisible DRM.

It's worth noting that Valve infamously has a flat company hierarchy: http://www.bbc.com/news/technology-24205497 (2013)

The flip side of having a "no leader" organization is no assignment of responsibilities.

I can imagine someone has to mediate disagreements. There has to be some workflow.

Not necessarily. A couple of friends of mine work for a well known flat hierarchy company and things that nobody wants to take responsibility for that would typically be handled by an HR manager - eg, the company structure has changed and all H1Bs are now working illegally - aren't handled at all.

If it's not their responsibility, and they don't believe in the risk of the company getting caught, they don't care.

I don't know how a company that can afford to hire the best of the best and probably has a lot of people who want to work there can produce such a mediocre product as well as have huge errors like what is going on right now.

The "best" probably don't want to work on something as boring as the steam client. Given the choice of working on the Steam client, the Source Engine, or HL3 - which one would you choose? It's the downside of a flat organization where the staff choose what they work on, without being assigned tasks by management.

If I got to pick (not that I'm even a good developer, but as a PM) - the store/client hands down. Both because it is a glaring flaw now and because doing account and identity management securely is way more interesting to me than a random game.

Well, you should apply!

I also find that to be interesting. I simply enjoy leaving no stone unturned, optimization as well as getting things right.

That said, I'd never pass their interview process. I've failed many interviews because I'm more of a junior than a senior engineer. That's the downfall of only hiring the best and brightest. A bunch of cowboys leads to everyone wanting to do what a cowboy programmer thinks is cool or fun.

I love writing utilities and making them user friendly as possible. I know many don't think it's possible but I love designing interfaces and dummy proofing them is one of my favorite things and I think I achieve it.

That's because it's not sexy work, and requires paying some salty dogs from the stateless realm of web programming and server administration to do the work all proper.

Perhaps a crisis such as this will motivate some people to shell out some coin, and pay for a reasonable HTTP service, and produce some front-end web apps.

I was enthusiastic about the Linux-based Steam OS, that is, until I noticed that, for whatever reason, they MANDATED a 500GB disk partition, onto which one must load THEIR disk image. Really?

As if Linux users would accept such absurd demands.

> I was enthusiastic about the Linux-based Steam OS, that is, until I noticed that, for whatever reason, they MANDATED a 500GB disk partition, onto which one must load THEIR disk image. Really?

> As if Linux users would accept such absurd demands.

Well, yeah, that's SteamOS. Linux users should be installing the standalone Steam client within their existing distro, not a completely separate operating system.

first off, 500GB? that's insane.

I get the non-sexy aspect of it. But when you love something, everything matters. you're just happy to make any part of it better. Maybe that's what they need: more love of their product, and less focus on... TF2 hats.

Correction: 1TB for the default image [1]

(...although, there are alternatives [2], and will probably require some technical effort to pull off)

[1] https://support.steampowered.com/kb_article.php?ref=6372-YZB...

[2] http://repo.steamstatic.com/steamos/

I wonder how much space the average users steam games take up. It's possible they felt it better to demand space for average to high number of game installations up front rather than dealing with users that installed to small partitions and complain that steamos can't install their software.

Using their regular linux client, I have more than a hundred gigabytes used between my Steam/ and SteamLibrary/ directories, and I don't even have that many games installed.

Those users can then buy super cheap external storage and plug it in via USB. You can make multiple SteamLibrary folders and put them wherever you'd like.

I'm almost certain it's an oversight due to not caring.

You can't really load games from USB storage it takes ages and many actually fail. Also steam library can't be set to removable or network storage so if you want to use USB/NAS you'll have to hack it with some softlinks and even that might not work.

AAA at at least 20GB in size these days some are 50 or even larger. 1TB requirement (which can be easily circumvented if you use their installer instead of the disk image clone) isn't that big. I also think that SteamOS will end up being used as some sort of P2P cache in the long run those 50GB COD installs can't come cheap.

Their current "default" installation is pretty much a compressed clone of a disk image so the destination has to be the same size as their source this requires no skill to install what so ever.

They also have a normal Linux installation mode which you can use but it requires about the same technical skills as installing any OS.

Please note that Valve has a pretty damn good picture of how much storage people have, 1TB isn't that big even for an SSD (you can get a sub 200$ 1TB SSD these days).

SteamOS is still in Beta I don't see the size requirement (which isn't a real requirement to begin with) to be a real issue considering current gaming hardware. My steam library is over 11TB (not installed ofc) and I've seen bigger, most new AAA game releases are 30-50GB in size.

Yeah, but look at iTunes. That is first party for the platform, and probably worse.

They have no incentive to care. This is a prime example of a monopoly run a-muck. There's arguably no real competitor for them, so why improve?

for releasing games with DRM with easy to install manner, maybe there isn't a significant competitor atm.

But you can go to humblebundle.com/store and buy a lot of the same games DRM-free

Good Ol' Games deserves a big mention as well. The entire library is DRM-free.

I love GOG but GOG galaxy is a clusterfuck and their library is made up of mostly (very) old games (go figure) ;) I bought The Witcher 3 on steam just because it's better with updates (GOG had so many TW3 updates issues, I got a GOG key from NVIDIA as a Titan X owner and it was just fubar). Steam is also a social platform, most of my friends are on steam which is their biggest competitive advantage which makes most other platforms kinda pointless as a platform DRM free or not.

I really like GOG since I mostly play older PC games anyway and don't care for the social aspects of Steam or stuff like trophies. GOG is just games.

humble-bundle has ~3100 games on it (that I counted. I couldn't find a solid source anywhere).

Steam has about 2x as many (source: http://www.cinemablend.com/games/There-How-Many-Games-Steam-...)

IME, the steam games have much better quality, so yeah, I'd have to say they aren't really a worthwhile competitor

Hey, don't forget linux! The steam client is also super crappy on linux :)

Indeed. I've tried using Steam to support indie developers. Ended up uninstalling within a month both times I tried it. Hogged bandwidth, launched on start and slowed my relatively-modern computer to a crawl.. now I just buy games through Humble Bundle or direct download. I wish I could support Steam but I can't.

My anecdotal experience from using steam for about 12 years is not this at all, excepting that it launches on boot and you can trivially turn that off in the settings. It uses bandwidth only so much as to download updates for games and you can stop games from updating though I don't really understand why you'd do that. Certainly I've never experienced it eating up resources; right now it's eating under 100MB of system resources.

The only bandwidth-related frustration I've experienced is when Steam's client updates itself because it's an invisible background task and occurs at relatively random times. That can cause some frustrations when I am playing a game and wonder where the lag's coming from.

Reddit thread with more discussion: https://www.reddit.com/r/Games/comments/3y7maa/something_is_...

To get an indication how bad this is, the default Steam account page was showing other people's accounts.

EDIT: Steam fully down for now. If you had a Steam Account, I recommend checking email/credit card on any linked accounts. (and, as always, sign up for 2FA if you haven't!)

EDIT2: Steam Community Moderator response (not linked):

- No, Steam is not hacked

- Creditcard info and phone numbers are, as required by law, censored and not visible to users

Take that link down ASAP please. If it is a caching issue as suspected then all the hn crowd clicking on your link are getting their info cached & potentially exposed.

Everyone just leave it alone & don't access any steam pages until the caching is fixed.

Removed it, but the point was that account info could be accessed by a logged-out user.

Apparently, Google has actually cached these pages too.

This is my worry.

Steam shutting down doesn't mean anything to page that has been crawled already.

Can't wait for the postmortem on this nonsense. Makes me wonder why I would trust Valve with any confidential info going forward.

And the language randomly changes if you keep refreshing; maybe because I'm being logged in as a different person every time I refresh?

Best guess at the moment is that it's a caching issue and you're seeing pages previously sent to other people. In other words get the hell out of steam since if you actually do get to your profile it's likely that'll be cached and sent to other people.

Quite possibly, yes - if you can find the page that gives "your" account information, the language often matches the location.

I should really stop poking around, but this is a fascinatingly bizarre error. Has anyone seen anything like it before?

I had a similar problem with a site I worked on a couple of years back. Setting headers to disable caching did the trick. Annoying, but effective.

Not on Steam; there was a Tomcat bug where it'd send HTTP response to wrong client: https://bz.apache.org/bugzilla/show_bug.cgi?id=57340

So maybe that's why Steam store pages have been displaying for me in Korean randomly over the last two years...

> EDIT: Steam fully down for now.

Steam is up for me. Haven't tried the Steam Store, but messaging, game access, and Family Sharing are all fully functional.

I'm getting an error trying to access the store right now, so I guess someone hit a Big Red Switch...

Apparently it's a caching bug - if you add some random query parameters like ?r=123456789 to the url you get the correct page.

yeah pretty obvious caching bug. im sure they accidentally told their cache to ignore cookies or something stupid.

Amazon CloudFront all but encourages you to ignore cookies and query strings in caching. This is exactly what you want in some cases, like images or CSS, but it seems like a very dangerous option, and there's no scary text around the option.

Valve would have to entirely rewrite their current caching system in order to repair this which they've avoided for so long.

I'd put my money on someone bringing up some new varnish servers to handle the xmas day load with default config...

or the backend service, and not setting the Vary header correctly

Ew, cookies? I thought those days were behind us..

As someone who really doesn't do that much web programming, what is the modern way to handle the kinds of information that cookies are/were used for?

Session variables are awful, which is the main selling point for cookies. I prefer basic auth with server-side user settings. This is how I implement stateless web apps and services, which greatly simplifies application architecture and makes it easy to implement automated atomic web testing.

It's unfortunate that people are down-voting instead of responding to you. I'm far from an expert but it would be interesting to see what other people think here...

Basic auth is insecure (i.e. sending credentials in plaintext) and poorly supported by browsers. For example how would you handle these scenarios:

  - Force users to reauthenticate after a certain period of time.
  - Allow user to logout without closing their browser.
I think Basic auth is more reasonable for server-server communications, combined with HTTPS and client-certs.

The best setup IMO is to have an HTTPS login page (form auth, hopefully with MFA) and use a session cookie. You can do server-side settings with this setup, you minimize the time when credentials are being sent (basically just once on login), and you can force your users to occasionally reauthenticate (either session timeout or manual logout) just in case they forgot to logout of a public computer.

For testing you could allow basic auth (make it configurable, or use user-agent sniffing to force browsers to use form auth).

Edit: formatting

> Basic auth is insecure

When used over HTTPS it is about as secure as any other web auth method.

> Force users to reauthenticate after a certain period of time.

With basic auth, there is no session. Authentication credentials are sent with each request.

> Allow user to logout without closing their browser.

There is no session. Only authenticated requests.

It's not for everyone, but I find that stateless APIs are much easier to work with.

Best practice authentication is client-side SSL certificates.


As an OSX user who bought the Steam controller early, Valve gave me all of their current games plus put me on their Friends and Family list, which gifts me all of Valve's future games (ha, if they ever make them)...this was because the controller was mostly non-functional on OSX during the early launch...I wonder what the apology gift will be this time around?

Edit: I should note that this gift totally pacified me...but probably cost Valve virtually nothing. To this day I still don't know if my steam controller experience on OSX is actually up to par with Windows/Steam users (beta client release notes feature OSX controller fixes frequently) because, who cares, I'm getting Half Life 3 free! OTOH there's just a handful of OSX Steam users relative to Windows, and even fewer who were early adopters of Steam software...I probably saw 5 other users in the same boat talk about the gift on Reddit.

I bet they had thought, let's turn up caching to the max so we don't get performance problems over Christmas.

This is an extremely serious breach of privacy. I hope there is massive legal fallout for Valve. You simply can't get away with leaking that kind of sensitive information. In the end I am guessing the blame will be shifted onto the group that was DDOSing steam earlier today instead of Valve running a configuration where this type of breach was possible.

> In the end I am guessing the blame will be shifted onto the group that was DDOSing steam earlier today instead of Valve running a configuration where this type of breach was possible.

I doubt it. The "fail-state" for their website should be to just not work, vs expose other people's credentials. If it was proven that the attackers were able to change server configs, that'd be one thing, but that doesn't seem to be the case.

This reminds me when one norwegian was a victim of a cache error in the yearly release of tax information. Everyone that logged in got his page until they shut it down.

Although this steam error is a bit different with everyone getting random users, it seems likely that it is along the same lines. Over stressed servers maybe?

http://www.tu.no/it/2012/03/23/altinn-feilen-er-funnet (Norwegian)

Can anyone confirm, was it possible for someone to view data of a specific, chosen account or were people just being logged into random accounts.

In other words, could an attacker exploit this bug to "dox" a specific target?

It was random. According to SteamDB[1] it was a caching issue that ended up sending random pages to the wrong people.

Possible explanation from unknown source: https://www.reddit.com/r/Steam/comments/3y7le9/im_logged_in_...

[1]: https://twitter.com/SteamDB/status/680490823226671104

Thanks. Based on that information any privacy-conscious users should simply not use Steam or the Steam website until the bug is fixed. By not using Steam, their pages won't end up in cache and will not be leaked to others.

Yeah, but there's other bugs that do let you do that (pull peoples account info). I've found a plenty of exploitable vulnerabilities on steam but stopped reporting them after their support told me to go post "suggestions" on their forums instead.

Email security@valvesoftware.com; I've reported loads of things there (some serious, some pretty trivial), and they're actually very good about responding to things these days. Steam Support is totally useless, though.


An attacker could send you a URL with a random query parameter, which would be ignored by Steam. But the response would be cached- with that query parameter. The attacker could then visit the URL themselves, and see private information.

An attacker could also grab CSRF tokens from the page, and perform certain actions on a victim's account.

Good point. The effectiveness of that kind of attack will come down to the user's wetware.

I just tried it out after reading this, it's pretty crazy. I am clearly logged in with my own credentials, but if I go to "Account Details", I see the details of another user, which sometimes changes.

As indicated in article, if I click on "Purchase History" or the link below, I sometimes see other user's data as well.

Update on the article indicates they shut the site down.

I was also confused when I started getting random pages in other languages, definitely stopped me from buying a game today.

This is the kind of bug (assuming it's not a security breach) that would warrant a shutdown.

Not so long ago you could reset anyone's account password by just entering an empty reset token.

I don't know what to think of steam. Is that what happens when an important piece of software is coded by game developers? Or when a company doesn't have a bug bounty?

Context behind reset-anyone's-password: http://kotaku.com/steam-accounts-hijacked-following-security...

Additionally, Steam was vulnerable to Heartbleed for a brief period of time: http://www.pcinvasion.com/steam-has-security-vulnerability-d...

Absolute silence from VALVe during a massive data breach, superb handling of the situation!

Someone upstream linked a moderator's quick notification that it's not someone having compromised their servers, and presumably we'll see some level of post-mortem after the fact.

After the security issue a while ago where they forced everyone to change their passwords, I'm honestly not going to be concerned about their quiet until a while after things are back to normal.

Note that data breach != "someone hacked us"

It's Christmas Day - I'm sure 99% of their staff are on holiday.

It's also probably their single biggest day of the year.

That is just how Valve is though. They are terrible at communication

I'm surprised to see unanimus hate for the steam client on here. I've never had any problems with steam. Downloads are fast, the client is easy to use and not "slow and clunky" the voice chat works well, the new community features for games are great. Actually my only complaint is that there's no 'unsubscribe all' button on steam workshop.

Is my experience entirely unique or is everyone remembering the old crappy steam client from 2004 (which was before I used steam)?

Edit: Or, more likely, some third option in which case I'd like to hear your thoughts.



Account information incorrect We've gotten reports that people sometimes see other people's account information on the account page. Valve has been made aware of this and are working on a fix.

Some frequently asked questions: - No, Steam is not hacked

- Creditcard info and phone numbers are, as required by law, censored and not visible to users


Wow, steam as always with the killer customer support.

It should be noted that this is from a moderator, and is not a official PR response.

>Valve has issued a statement regarding today's issues.

>"Steam is back up and running without any known issues," a Valve spokesperson told GameSpot. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users."


Very bad Christmas present for Valve it seems. Which is sad since I picked up Age of Empires and now can't login to get it on my system.

Huh, I saw all the games in my cart disappear, I wonder if someone else mysteriously ended up with a cart full of games.

Well at 3:15 PST there is some progress, now I can get to the store site again but it complains of too many failed logins. I wonder how long that will take to clear up.

I wonder how many new accounts GOG will get out of this?

gog is great, but they don't have most newer games (although they get more everyday). Humble Bundle store does on the otherhand have most recent non-DRM games found on steam.

If no one at Valve choosing to work on Steam platform. I volunteer to work on it!

They’ve been complacent for too long on polishing up the non-Windows and mobile clients. Their recent push to use the mobile app as an authenticator and the bugs surrounding that is a good example. I’m not at all surprised an issue like this has happened.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact