- Joined
- May 29, 2007
- Messages
- 6,324
- Reaction score
- 1,136
Update #3 (Dec. 25, 2015 @ 15:00 (-8 GMT)):
The Steam Store is now back up and running. After a few failed attempts to login, we have also been able to access the Account Details page and can confirm it now verifies the account ID before displaying any secure information.
Update #2:
Our buddies over at SteamDB have posted a full explanation of what they think caused the issue. Their article continues to dispel rumours of a hack while reiterating the reasoning why faulty webpage caches are to blame.
Update #1:
The Steam Store has now been taken down and will likely remain offline until the problem is well and truly worked out. Concerns on social media regarding hacks and full security breaches have been grossly over-exaggerated, with the original idea of incorrectly cached pages still holding up as the most water-tight theory.
Original Post:
What was that? You think Christmas could just come and go, and sail by with absolutely no problems at all? Nope!
Less than an hour before the writing of this post, users on the r/Steam subreddit began discussing a weird problem related to users not being able to load up or view their own account information, with the Steam client instead showing details gathered from randomly-selected profiles. That may sound a little confusing, so let's demonstrate with a simple step-by-step process which can reproduce the issue 100% of the time for every Steam user.
Selecting your profile name in the top right corner of the Steam Client UI and selecting "Account Details" should load up an incorrect profile, complete with accurate account information. These include full email addresses, account names, Steam Wallet funds, Steam Guard status, payment addresses, partially hashed bank details, and phone numbers. Clicking any of the "View purchase history" or "View licenses and product key activation" options does not take you to the details of this listed profile, however, instead taking you to two very different, and completely separate profiles, complete with whatever language that user's Steam Client is set to by default. The images linked below show this process in detail (any sensitive information has been censored).
Although only fragments of total user profiles, these pages do allow you to view the in-depth details of whichever profiles you happen to have landed with, including Steam Store transactions, Market trades, and in-game purchases, among others. Thankfully, due to the bug's completely crippled nature, it does not appear as if you can actually use any of the information found in these account details, as required pages such as the likes of the "Add funds to your Steam Wallet" option continue to redirect to other accounts, breaking the chain rather quickly. Our friends over at SteamDB believe this to be caused by incorrect webpage caching, which would definitely explain these problems. Along with SteamDB, we are keen to remind readers that this is NOT a traditional security breach.
It's not currently known how long this bug has existed within the Steam Client, but we're hoping it won't take Valve too long to sort all of this out given the possibilities for account abuse or data mining. Even though the actual practical implications of this bug are actually pretty limited (no apparent risk of credit card theft, etc), the backlash against Valve will likely continue to grow more extreme as more users discover their personal data (or at least some of it) may be at risk.
We'll keep you posted as we learn more.
The Steam Store is now back up and running. After a few failed attempts to login, we have also been able to access the Account Details page and can confirm it now verifies the account ID before displaying any secure information.
Update #2:
Our buddies over at SteamDB have posted a full explanation of what they think caused the issue. Their article continues to dispel rumours of a hack while reiterating the reasoning why faulty webpage caches are to blame.
Update #1:
The Steam Store has now been taken down and will likely remain offline until the problem is well and truly worked out. Concerns on social media regarding hacks and full security breaches have been grossly over-exaggerated, with the original idea of incorrectly cached pages still holding up as the most water-tight theory.
Original Post:
What was that? You think Christmas could just come and go, and sail by with absolutely no problems at all? Nope!
Less than an hour before the writing of this post, users on the r/Steam subreddit began discussing a weird problem related to users not being able to load up or view their own account information, with the Steam client instead showing details gathered from randomly-selected profiles. That may sound a little confusing, so let's demonstrate with a simple step-by-step process which can reproduce the issue 100% of the time for every Steam user.
Selecting your profile name in the top right corner of the Steam Client UI and selecting "Account Details" should load up an incorrect profile, complete with accurate account information. These include full email addresses, account names, Steam Wallet funds, Steam Guard status, payment addresses, partially hashed bank details, and phone numbers. Clicking any of the "View purchase history" or "View licenses and product key activation" options does not take you to the details of this listed profile, however, instead taking you to two very different, and completely separate profiles, complete with whatever language that user's Steam Client is set to by default. The images linked below show this process in detail (any sensitive information has been censored).
Although only fragments of total user profiles, these pages do allow you to view the in-depth details of whichever profiles you happen to have landed with, including Steam Store transactions, Market trades, and in-game purchases, among others. Thankfully, due to the bug's completely crippled nature, it does not appear as if you can actually use any of the information found in these account details, as required pages such as the likes of the "Add funds to your Steam Wallet" option continue to redirect to other accounts, breaking the chain rather quickly. Our friends over at SteamDB believe this to be caused by incorrect webpage caching, which would definitely explain these problems. Along with SteamDB, we are keen to remind readers that this is NOT a traditional security breach.
It's not currently known how long this bug has existed within the Steam Client, but we're hoping it won't take Valve too long to sort all of this out given the possibilities for account abuse or data mining. Even though the actual practical implications of this bug are actually pretty limited (no apparent risk of credit card theft, etc), the backlash against Valve will likely continue to grow more extreme as more users discover their personal data (or at least some of it) may be at risk.
We'll keep you posted as we learn more.
Last edited by a moderator:
