If you NAGlings reading this are one of the millions of gamers currently using Steam, please pay attention. A security workaround has been discovered in Valve’s Steam Guard software that allows unauthorised access to your Steam account. Although the workaround is not a hack into Valve’s Steam client or its online services, it is a phishing attack that requires you to upload a file to the attacker pretending to be Valve. Hit the jump for more information.
The flaw was discovered by security firm Malwarebytes, who figured out a way to access Steam accounts protected by Steam Guard without requiring the user to give them their e-mail address and password. The trick works by copying a file that Steam creates, called the SSFN, to another computer while your Steam account is still logged in and active. The file’s contents are encrypted and there’s no way to access them without a lot of computing power and time.
However, copying that SSFN file onto another computer running Steam would trick the Steam client into thinking that the account is running on an authorised computer.
“Typically a Steam phish page asks for Username and Password, like all phish attacks – often these can be foiled by enabling Steam Guard on your account,” said Malwarebytes intelligence analyst Christopher Boyd in an interview with The Inquirer. “We did some testing and can confirm that this technique does indeed work.”
Why is this a major security issue? Well, if you ever log into your Steam account from a computer in a internet cafe, accidentally allow the Steam client to remember your saved username and password and don’t log out when you’re done, the next person using the computer could copy that SSFN file to their flash drive and later put it into their computer, allowing them access to your inventory items on Steam.
From there, they can trade your entire collection of items that are earned through playing games and earning achievements and many of these items have some real-world value. These items can be sold off and the money will go into the scammer’s wallet.
Additionally, if you save your credit card information on any of the computers that you use the Steam client on, hackers would be able to see that information as well and execute a phishing attack on you, pretending to be your bank verifying details printed on your card like the card verification value, allowing them to buy games on your account and later trade them off to others.
It is also possible to use the SSFN workaround to completely hijack your account. The hackers will be able to change the stored e-mail address and password and you’d have a very tough time convincing Valve that you’re the original owner of the account. Valve is working on fixing this issue according to Malwarebytes, but it’s anyone’s guess when they’ll have it properly patched up.
So, basically, don’t hand out your SSFN file to anyone that asks for it. While you’re reading this, take a moment to make sure that your account is protected using Steam Guard and that your credit card information isn’t saved into Steam. Its pretty safe there for now, sure, but you never know how next people will break into computers.
Source: The Inquirer