Mad Season
Banned
Which is a big fucking mistake
Steam security issue revealed personal info to other users on XMas Day (fixed)
- Thread starter Quirah
- Start date
The misconfiguration allowed it to be cached. I've never worked with Varnish, but the way cache typically works is that it saves a copy of the compiled html, which in this case would have been unencrypted so the user could view it.
SSL encryption is to verify that the website is who they say they are and prevent any hijacking of data between the user and server. It doesn't care what the server is sending to the user as long as it is sent from the server.
cartographer
Member
It hasn't seemed to hurt their business yet.
chrominance
Member
It shouldn't. But that could easily be a configuration issue as well. Varnish can already work across HTTPS, though not out of the box (the Varnish devs specifically don't want Varnish to work on HTTPS)--you need to pair it with something else. There are a few guides that point to Pound as an option. The page I linked earlier seems to suggest it might be possible to pass a request with user cookies to the backend if there's nothing in cache, store that response, and then ignore cookies from subsequent users and force a return from the cache for pages in store.steampowered.com/account/* and store.steampowered.com/checkout/*.
So if Steam was already set up to cache some but not all HTTPS traffic, it doesn't seem out of the question to suggest Varnish could be misconfigured to store user-specific responses even over HTTPS. It would be incredibly stupid and not something you'd ever want to do on purpose, but it seems possible.
If you consider the use of additional software to convince Varnish to cache HTTPS traffic as no longer inside the bounds of "caching misconfiguration," then it sounds like we just disagree about what the definition of "caching misconfiguration" means. But I still think it's unfair to just say "everyone's accepting Valve's explanation at face value even though its wrong" when much of the evidence we have available to us suggests it's the right explanation, and when even the makers of the caching technology likely in use say this is a potential issue if their software is misused or misconfigured. Meanwhile there seems to be little to no evidence that would fit other explanations like database tables suddenly going awry or a malicious hack that intentionally distributes random account pages to everyone.
Disaster Nebraska
Banned
If Varnish was caching encrypted data, the users trying to view it wouldn't be able to since the would be doing exactly what you described: hijacking data between the user and server, also known as a man in the middle attack. Therefore, we wouldn't have seen this behavior at all...
On the other hand, if Steam was passing unencrypted user data to the cache, that's a significant problem and has to so with how their site is coded, not how Varnish operates.
I agree entirely, the problem in my opinion is it seems as though Valve thinks they are forced to choose between the two ends of the structural spectrum and that they must apply that extreme to everything.
My original post was worded pretty poorly though, my bad.
just common good security practices. Reset your password now and then. Watch your card transactions.
If there was damage, theres nothing to do about it now.
Disaster Nebraska
Banned
Much earlier in the thread I did say that I doubted it was caching. From everything I've seen since then I concede it is possible that is was caching (though of course this behavior can be due to other factors as well). At the time, caching seemed incredibly unlikely to me since I have a decent working understanding of how these services are configured, troubleshot, and installed.
Whether or not it is caching, my concern remains that Steam is doing what you described: passing user data unencrypted to the cache and storing it. That is definitely NOT good practice and means that while a Varnish configuration may have revealed the problem, there is still the matter of Steam not encrypting your data (at least in terms of passing it to Varnish, which I believe works and double-checks with Apache to serve content).
paperspace
Member
Nothing, you're just as vulnerable as before.
Tainted
Member
Just make sure Steam guard is enabled on your account, and remove any CC's. Setup a Paypal account and link your CC's in there instead, much safer to have an extra layer of security for payment methods.
Having no CC's linked directly to your steam account means that other info such as phone numbers and billing addresses are also not present. Another good idea is to ensure your steam password is different from other services you have and/or get in a practice of changing it regularly.
In this case you are the user. Steams webservers respond to your request with the cached response. That was the problem. They flip a switch to attempt to reduce load time on a busy day, and wind up caching data that should not have been cached. When a new user tries to view the account page, the server notices that cache is enabled in that page and sends you the cached page. No hijacking involved.
Dumb question: If someone were to listen in on the connection between Varnish and Steam, would they be able to obtain unencrypted account information?
Disaster Nebraska
Banned
Except that if the data was encrypted over SSL, that wouldn't have been possible in the first place. The cache could cache all they wanted but the standard encrypted communication handshake wouldn't have taken place and therefore wouldn't have led to anyone viewing anyone else's intormation.
Which brings us back to the problem of why was Valve caching unencrypted user data in the first place? Why was ANY communication -- cached or not -- of the users data taking place on a connection that wasn't encrypted? That is what you don't seem to understand.
Other than regurgitating what has been told by SteamDB and a few YouTube users, nothing you're saying is new. I'd expect an explanation from Valve as to why the data wasn't encrypted at all.
What outrage there was had more to do with being unable to access any online features. then the actual breach.
Valve obviously, but you're ignoring the comparison that Sony was also liable for the breach because of their lax security protocols and settings. Sony is/was never held to the same standard Valve has recently been scrutinized for.
Right, and in regards to our steam usernames & CC information, that is inexcusable on their part. My issue had more to do with the other information being displayed.
Care to explain how I'm getting them confused?
The equivalence is that you're still volunteering to share that information. You don't have to give your address, etc to Valve to complete a transaction. I never have. You don't have to share your contact information on Facebook, many do. While Valve is at fault for being sloppy, they at least acknowledged the issue and fixed the source with in an hour. It took Sony 11 days to admit that your personal information had been compromised.
Fair enough, I give you my address and then you find out who I am. Sound good to you?
Maybe I'm coming at this from a more cynical angle, when ever I input personal information online I always expect it to be compromised at some point. I don't mean to victim blame or anything. Although I suspect I come off that way. And for that I applogize.
I'm not excusing Valve for their fuck up, but like I said earlier perhaps I am being too cynical. I don't mean to victim blame and for that I again apologize; insensitive for me in some respect.
Again perhaps I am coming off as being rude or insensitive, but just because the option is there doesn't mean it is a good idea. Valve isn't the only one to practice this. Again, don't mean to victim blame.
Disaster Nebraska
Banned
Well, the "connection" is internal as Varnish is a software package hosted on the server. If people were able to see packets passed between Apache and Varnish they'd already be in the server and that would be the least of your problems.
To answer your question more directly: no, nearly impossible for that to happen unless they also have root access to the server.
Ah, I see, thanks for explaining! I didn't know Varnish was hosted locally but with that knowledge yeah it's, well, as you say nearly impossible.
Stumpokapow
listen to the mad man
We know nothing about how the internal routing of the data is handled.
It's possible that the architecture is (this is what Google does post-Snowden because they found out they were being MITMed by the government even in what they thought was internal communications)
Server A encrypt message ---> Server B decrypt message, look at message, re-encrypt message ---> End user
It's possible that the architecture is (like a web server assembling a request from a database server before encrypting it to send it outwards):
Server A unencrypted message ---> Server B encrypt message -> End user
It's possible that the architecture is (like an onion router):
Server A encrypt message --> Server B can't read message and forwards it along not knowing what it is ---> End user
Vulnerability to MITM attacks will vary depending on how each link of the chain is set up, but Disaster Nebraska seems to be implying that only the last of those is an acceptable strategy and that has not been my experience working in enterprise environments in the past.
Disaster Nebraska
Banned
As chrominance pointed out, Varnish doesn't handle HTTPS traffic unless paired up with a third-party plugin or package. I actually wasnt sure either way, so thanks for the info chrominance. The one thing I do know is that Varnish doesn't receive encrypted info, cache it, and then somehow decrypt it. That's not how Varnish works at all. That's not how any commercial caching service works and I can assure you any software doing this would quickly get run out of the market.
The fact that this information is being passed unencrypted in the first place is what's worrying. The only way Varnish could cache this information and reveal it to their users would be if it was being cached unencrypted.
Let's pretend this was a password: if Varnish cached a bunch of users and password and showed them to other users randomly, it could also be due to a "caching issue". However, the question would still remain: why isn't Valve storing and transmitting my username and password in an encrypted fashion in the first place? We can all agree that is a logical follow-up question, right?
So, even if a config change in Varnish (pretty significant oopsie on their part) is why one users information was passed to another is what revealed this yesterday, the question still remains: why is user data being stored and transmitted in an unencrypted fashion in the first place?
Just checking up on this thread since yesterday and I see there has still been no real apology from Steam or in depth explanation.
They ruined my day yesterday. I felt sick to my stomach the whole day and barely could even eat Christmas dinner. Been nervously checking my email and this thread for news when I should be enjoying the holiday. I don't feel safe. Fuck Steam.
They ruined my day yesterday. I felt sick to my stomach the whole day and barely could even eat Christmas dinner. Been nervously checking my email and this thread for news when I should be enjoying the holiday. I don't feel safe. Fuck Steam.
superNESjoe
Member
This is a big screw up, really, but I think you need to take a step back, breathe, and relax. The information that people saw (if anything was even seen from your account) is minimal. This isn't downplaying what happened, but really in an effort to reassure you that super serious, full information wasn't compromised.
Nobody had access to full credit card numbers or passwords. I don't think you need to be feeling unsafe, or letting this get in the way of living your life.
This is a eye-opening screw up, but not anywhere near as serious as it could have been. Stay vigilant, but relax.
Joyful
Member
a bit of an overreaction but ok
Netrunner2k2
Member
Yah really. Holy crap.
Just keep an eye on your accounts, change password if you really feel the need too and take a deep breath. Don't get too wound up about it, yes it was a fuck up, but it could of been a lot lot worse.
people feel and react to things differently; is it really out of scope for you to believe that someone could feel sick all day worrying that their card might get charged because of a fuck-up they had nothing to do with? there was so much mis/information yesterday that it made me a lil bummed out too. their lack of a response is gross, imo.
Except its not an overreaction because people were pointing out in this thread that the information that got revealed is more than enough for someone to steal your identity. It sucks and it made me feel terrible. IT would be nice if Steam at least acknowledged that this was a pretty big problem.
But we didn't know the scope of this at all yesterday. I don't think it's that far fetched to feel a little nervous about this whole thing right as it happened.
finalflame
Banned
Enough to steal your identity would be the last 4 of your social. Further, Steam does not even show the full last 4 of your card, only the last 2. That is not enough to access anything anywhere. If you're worried about your card call your bank and cancel it/get a new one.
The only part of your phone number visible in the account page is the last 4 digits and email. If someone had happened to get a cached version of the checkout page, they might have your address, but this is generally accessible via public records anyways. Look up yourself on any background check website. Someone having YOUR EMAIL is not enough to STEAL YOUR IDENTITY.
It's a gross overreaction and there was no comprehensive list of information about yourself that will realistically be used to "steal your identity". People did not have authenticated access to anyone's account, only sporadic views of cached versions of webpages for various different users. Nobody was able to, say, see someone's account details and then also go through the checkout process as that same person because the cached pages they were getting were for different people.
People overreacting to this are just trying to stir up a bigger fuss that there really needs to be.
Why would Valve lie? They're a business, they just messed up, why would they risk their standing further? Don't accuse others of lying just because.
We only know the basics of what happened. They could have made an apology, but they could have still been figuring out who's fault it was at the time. Yes, this is a huge almighty failure of security, but as far as we know, it wasn't the result of someone trying to access information they shouldn't.
It's like with people wanting Bayonetta 2 or Bloodborne on other platforms, people need to be realistic about how particular situations stand, and lifting their hopes up for something virtually impossible is only a detriment.
Steam screwed up. If they don't clarify further within the next few weeks, then I'll be upset that they've not addressed the issue.
More_Badass
Member
So can I log into Steam or not? Been logged out and offline since yesterday
cartographer
Member
You can.
Yep, it's all back up and it's rolled back to the state before the cache change went in. I think some aspects of Community are down whilst they fix it.
You think people criticizing Valve for failing to communicate with their customers reasonably is on the same level as people wanting BB or Bayonetta on different platforms? What? Am I understanding your post correctly?
They already said it was cache error, which would be on them, unless there's been an update since I last checked the thread.
orthodoxy1095
Banned
I'm not accusing them "just because." As far as we know, that claim of "less than an hour" is absolute malarkey.
finalflame
Banned
I think people need to realize this whole ordeal happened during a widespread holiday and Valve is a tightly staffed company, and employees are likely specifically instructed to not speak publicly without approval from PR. I'm willing to bet it was a lengthy process to first figure out what happened, contact the on-call engineer responsible for fixing it, and reach the right person or people to write up an acceptable public response. By all accounts, people are with their families and likely not paying attention to their phones/work email/etc. I don't think the timeframe in which Valve responded, given the circumstances, was unacceptable. At this stage they've given an interim response/explanation, and I expect that we'll get something more fully-fledged as we go into next week.
Sometimes companies need to move slowly and deliberately before making public statements, that's just how it is. I'm not excusing Valve's fuck-up, but I'm sure we'll get an acceptable post-mortem for what happened here within due time.
Okay, look. You are probably right about this not being as huge a security problem as I thought. But man, it really messed me up, especially since I have anxiety issues as it is. Maybe some people have a thicker skin about stuff like this, but not me. And it had to happen on Christmas too.
TheSpoiler
Member
Once again, people were able to get to the Review process, which shows the last four digits of your card.
So that means your:
Name
Email
Last 4 digits of your card
And address were listed bare for people to see.
If you wanna downplay the event and call people's reaction's a gross exaggeration, at least get the facts straight
So that means your:
Name
Last 4 digits of your card
And address were listed bare for people to see.
If you wanna downplay the event and call people's reaction's a gross exaggeration, at least get the facts straight
finalflame
Banned
Okay, look. You are probably right about this not being as huge a security problem as I thought. But man, it really messed me up, especially since I have anxiety issues as it is. Maybe some people have a thicker skin about stuff like this, but not me. And it had to happen on Christmas too.
I understand, just hopefully serves to inform that you can relax as your information is, by and large, safe. While I totally understand that it was a stressful situation on an unfortunate date for many (at first, myself included), I am fairly certain it will blow over without many (if any) casualties of information being used for nefarious purposes/to cause harm. The issue is that with the lack of information/official position from Valve, people started to create a ton of conjecture that served to make people more afraid than they realistically needed to be.
All I'm trying to say is you can relax now, maybe keep an eye on your back/card statements, but all is well.
Link to anyone confirming that they happened to get the cached version of the review page? Also you should get your facts straight -- the final review page does NOT show the last 4 of your card, only the last 2. Meaning someone had your name, email, address, phone number and the last 2 digits of your card.
finalflame
Banned
That's not the review page. This is:
Note the last 2 digits, not 4. Image you linked doesn't show any CC info at all.
I'd like to think Valve have a hold on the concept of time more-so than others, Valve Time jokes aside. The problem could have been corrected within the space of an hour of it starting, with the fix taking a bit of time to be pushed to the amount of servers where it needed to be. Hopefully any followup info they post will clarify or correct this.
I'm saying that people wanting Valve to have a fully written apology with technical details and clarifications on the situation within the space of a few hours of it happening, on Christmas Day of all times, need to approach this more relaxed.
This. Exactly.
TheSpoiler
Member
That's not the review page. This is:
Note the last 2 digits, not 4. Image you linked doesn't show any CC info at all.
If your card is saved on file, it shows the last four digits. It's doing so right now for me. Other people have confirmed this in multiple topics.
Whether or not it's due to Mastercard or Visa (the one I'm using), I don't know, but it's showing it right now for me.
TemplaerDude
Member
The over reaction to this is ridiculous, some of you guys are really reaching for something to get hysterical about.
finalflame
Banned
On the order review screen? That's odd, as both my account page and review page for purchases shows only the last 2 (MasterCard), and my card is saved.
I think it's because the account on screen doesn't have its payment info saved on steam. But I don't know what it would show otherwise because I don't use a CC on steam.
Similar threads
- Poll