You might assume that Valve, the multi-billion dollar company behind the world’s biggest gaming platform, would have code in that platform that protected the accounts of their international customer base. You would be right, but it took them 15 years to get to that point.
For the past one and a half decades, Valve has overlooked a vulnerability in the Steam client that left every single user exposed to hijack attempts from immoral third parties. Apparently, the flaw, which existed in code from the early days of Steam, was left alone because it never crashed and no-one ever tried to get past it.
Look, I get you might be feeling a bit nervy about Steam in this article, so if you fancy getting involved without putting any (more) money down, check out some free Steam games.
The flaw was eventually discovered in February by Tom Court from Context Information Security, who quickly notified Valve of the issue. A beta patch was issued within 12 hours, before a more stable, long-term patch was released some time in March. Details have only recently been published by context to ensure that users would have had time to patch their steam clients.
The vulnerability stemmed from Valve apparently forgetting to include a check on the first data packet delivered through Steam’s custom protocol communication. You can read an extremely detailed rundown of the vulnerability in this blog post from Context. In the meantime, now might be a good moment to start setting up some two-factor authentication. You know, just in case.