A security flaw in Steam has been discovered by Reddit users that allows anyone who Googles the right thing to see the email address of other, random users. The email preferences of that person can then also be changed – what they receive emails about and when – although not the address associated with the account.
For some legitimate uses of Valve’s platform, check out the best free games on Steam.
The method, which we won’t go into detail on here, involves Google having cached the token used to change email preferences by users. This token is used in place of a login in case a user wishes to unsubscribe from emails without logging in. It’s very long and randomly generated, but Google is remembering all, it seems.
This method means it cannot be specifically targeted, but still results in the revealing of email addresses without permission, and being able to edit another user’s account settings. We’ve contacted Valve via email, and it’s been reported through Steam to them several times. We’ll update if we hear back about their plans for fixing it.