Steam Client Bug Displays Random User Details

Discussion in 'News' started by Omnomnick, Dec 25, 2015.

  1. Omnomnick

    Omnomnick Retired Lead Content Creator
    Staff Member

    Joined:
    May 29, 2007
    Messages:
    6,324
    Likes Received:
    657
    Update #3 (Dec. 25, 2015 @ 15:00 (-8 GMT)):
    The Steam Store is now back up and running. After a few failed attempts to login, we have also been able to access the Account Details page and can confirm it now verifies the account ID before displaying any secure information.

    Update #2:

    Our buddies over at SteamDB have posted a full explanation of what they think caused the issue. Their article continues to dispel rumours of a hack while reiterating the reasoning why faulty webpage caches are to blame.

    Update #1:

    The Steam Store has now been taken down and will likely remain offline until the problem is well and truly worked out. Concerns on social media regarding hacks and full security breaches have been grossly over-exaggerated, with the original idea of incorrectly cached pages still holding up as the most water-tight theory.

    Original Post:
    What was that? You think Christmas could just come and go, and sail by with absolutely no problems at all? Nope!

    Less than an hour before the writing of this post, users on the r/Steam subreddit began discussing a weird problem related to users not being able to load up or view their own account information, with the Steam client instead showing details gathered from randomly-selected profiles. That may sound a little confusing, so let's demonstrate with a simple step-by-step process which can reproduce the issue 100% of the time for every Steam user.

    Selecting your profile name in the top right corner of the Steam Client UI and selecting "Account Details" should load up an incorrect profile, complete with accurate account information. These include full email addresses, account names, Steam Wallet funds, Steam Guard status, payment addresses, partially hashed bank details, and phone numbers. Clicking any of the "View purchase history" or "View licenses and product key activation" options does not take you to the details of this listed profile, however, instead taking you to two very different, and completely separate profiles, complete with whatever language that user's Steam Client is set to by default. The images linked below show this process in detail (any sensitive information has been censored).

    steam1.PNG steam2.PNG steam3.PNG
    steam4.PNG steam5.PNG

    Although only fragments of total user profiles, these pages do allow you to view the in-depth details of whichever profiles you happen to have landed with, including Steam Store transactions, Market trades, and in-game purchases, among others. Thankfully, due to the bug's completely crippled nature, it does not appear as if you can actually use any of the information found in these account details, as required pages such as the likes of the "Add funds to your Steam Wallet" option continue to redirect to other accounts, breaking the chain rather quickly. Our friends over at SteamDB believe this to be caused by incorrect webpage caching, which would definitely explain these problems. Along with SteamDB, we are keen to remind readers that this is NOT a traditional security breach.

    It's not currently known how long this bug has existed within the Steam Client, but we're hoping it won't take Valve too long to sort all of this out given the possibilities for account abuse or data mining. Even though the actual practical implications of this bug are actually pretty limited (no apparent risk of credit card theft, etc), the backlash against Valve will likely continue to grow more extreme as more users discover their personal data (or at least some of it) may be at risk.

    We'll keep you posted as we learn more.
     
    #1 Omnomnick, Dec 25, 2015
    Last edited by a moderator: Dec 30, 2015
  2. ríomhaire

    ríomhaire Moderator
    Staff Member

    Joined:
    Dec 31, 2004
    Messages:
    20,898
    Likes Received:
    369
    lol Valve what the ****
     
  3. tomemozok

    tomemozok Space Core

    Joined:
    Jan 31, 2011
    Messages:
    331
    Likes Received:
    17
    Best roller-coaster ride ever. I went trough 30 accounts and 25 languages in less than an hour :D
    Good times, great times :D
     
    • Agree Agree x 1
  4. Spamming Tanks

    Joined:
    Jun 19, 2015
    Messages:
    54
    Likes Received:
    4
    This is why I never save my credit card information.
     
  5. Clan Wolf 2

    Clan Wolf 2 Hunter

    Joined:
    Feb 25, 2014
    Messages:
    71
    Likes Received:
    1
    valve the only centralized system, i trust. end of story.
     
  6. Spamming Tanks

    Joined:
    Jun 19, 2015
    Messages:
    54
    Likes Received:
    4
    No offense but that is a pretty dumb attitude to have after the Winter Fail and Steam's downright dog-poop customer service.

    The fact that Valve is so absolutely terrible at communication does not help. That attitude might work well in isolated Game development, but not when you are running the largest and arguably most important game distribution platform EVER... with everyone's financial and personal information at risk.

    And quite frankly, because they are a private for-profit company which has no meaningful competition in game distribution... you definitely should not trust them. Because they have literally no market incentive to improve the quality or safety of their service because Origin, GOG, Amazon, and others are so pathetically tiny in comparison to Steam, and there is nothing in sight that could ever offer real competition anytime soon... no fracking way.

    Your blind trust is amusing... but also depressing.

    EDIT: My bad, I should say PC game distribution. Granted there are consoles but Valve dominates the PC market and that should not be looked at with tinted glasses.
     
  7. Clan Wolf 2

    Clan Wolf 2 Hunter

    Joined:
    Feb 25, 2014
    Messages:
    71
    Likes Received:
    1
    Totally agree stuff needs to change, Valve totally agree stuff needs to change and their working on it.
    It really comes to how Valve operate that affects updates whatever they may be. That too, their working on!

    Besides that, the attic is better than the basement.

    Beyond that, Valve are the centralized system, i trust. end of story. :)

    agree with the following video, or don't. Don't care.




    because praise gaben

     
    #7 Clan Wolf 2, Jan 3, 2016
    Last edited: Jan 3, 2016
  8. Spamming Tanks

    Joined:
    Jun 19, 2015
    Messages:
    54
    Likes Received:
    4
    See, I originally was not going to respond because I figured that I could not argue with someone who uses emoticons and unfunny memes in the place of actual reasons for trust.

    ....

    Then I realized that you pretty much glided over the monopoly question entirely. So that still stands, I guess.

    Not to mention that Valve reserves the right to shut down your account. You don't legally own any of the games you paid Valve for... just a reminder! :)

    Which leads us back to the question of trust.
    If no other platform can compete with selection and prices, then if you run into a problem with Valve and lose your account (it has happened to people before) you really are sh it out of luck huh? The potentially hundreds of dollars in games you once could play? *poof*. Gone. Because you, legally, owned none of it. [I suppose that won't change your mind if it never happens to you, I guess. But that's beside the point....]

    That might be a problem of DRM, yes, but that is not separable from the question of Valve's (unbalanced) power in the PC gaming market... as well as over PC gamers. The only reason Steam exists is to serve publishers by enforcing DRM practices... and Valve makes a pretty penny off of it in the process.

    So forgive me, if I want a better reason to trust Valve than your brand loyalty.
     
  9. Boff

    Boff Medic

    Joined:
    Mar 8, 2012
    Messages:
    19
    Likes Received:
    3
    I'm surprised valvetime haven't linked valves OFFICIAL version of what happened, and not post just what SteamDB propossed happen. http://store.steampowered.com/news/19852/
    The cacheing only happened because Valve had to call in back up support to handle a 2000% higher volume of Christams sales traffic because they were under a attack

    only partial information was shown, and nothing vital like creditcard details were shown, and there was no way a transaction *could* be completed.

    Of the 100 million people who use steam, the ones affected were just a tiny percentage.
    None one got hacked or money was stolen because even this minor flaw was designed so theft and hacking would be minimized.


    all in all considering this was an attack, valve, and us paying customers got off really well, considering.
    Actually when was the last time you paid your monthly service contract for your steam services from valve?

    A
     

Share This Page