Valve resets partner logins as result of someone exploiting the "Heartbleed" bug
72 replies, posted
[img]http://puu.sh/82sZe.png[/img]
[img]http://i.imgur.com/m8uiaH1.png[/img]
[url]http://steamdb.info/app/202970/#section_history[/url]
I guess they just update OpenSSL in "valve time".
[editline]10th April 2014[/editline]
Oh also they haven't changed over to new certs yet. But this may not be needed:
[QUOTE=Flapadar;44501517][url]http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html#.U0W_k_ldWJp[/url][/QUOTE]
[editline]10th April 2014[/editline]
[b]Update:[/b] Happened again to Ubisoft/Obsidian Entertainment's partner account.
[img]http://i.imgur.com/mzMWEks.png[/img]
[url]http://steamdb.info/app/213670/[/url]
What does this mean exactly?
It means someone could log into your developer account and tamper with your store page?
[QUOTE=nomad1;44501191]It means someone could log into your developer account and tamper with your store page?[/QUOTE]
yes
[QUOTE=nomad1;44501191]It means someone could log into your developer account and tamper with your store page?[/QUOTE]
Essentially yes, someone used the heartbleed bug to locate a developer's session and hijack it. Then they used the session to change the name of a game that developer could manage.
What else has been affected by heartbleed? Is there a list or whatever out there?
[QUOTE=Doomish;44501209]What else has been affected by heartbleed? Is there a list or whatever out there?[/QUOTE]
Pretty much everything that uses HTTPS: Twitter, Steam, Imgur, etc.
It's just a matter of how early they fixed it.
Almost every linux-hosted HTTPS-using website used this vulnerable version of OpenSSL.
[editline]10th April 2014[/editline]
Unless it is ancient. :v:
So... is it something I should actually be worried about? Most of the web news I've seen so far about it has begun with "CHANGE ALL OF YOUR PASSWORDS RIGHT NOW THE ENTIRE INTERNET IS FUCKED" so I'm really not sure what to take at face value and what to take with a grain of salt.
[editline]e[/editline]
the "entire internet is fucked" part is mostly exaggeration on my part but less so than I'd have hoped
[QUOTE=Doomish;44501310]So... is it something I should actually be worried about? Most of the web news I've seen so far about it has begun with "CHANGE ALL OF YOUR PASSWORDS RIGHT NOW THE ENTIRE INTERNET IS FUCKED" so I'm really not sure what to take at face value and what to take with a grain of salt.
[editline]e[/editline]
the "entire internet is fucked" part is mostly exaggeration on my part but less so than I'd have hoped[/QUOTE]
Basically what happened was that the vulnerability enabled attackers to see a bit of the server's memory. That memory might've contained some data left over from the last request or two, which would contain stuff like cookies and any other data sent in the request.
If an attacker gets hold of the cookies you send while requesting a page (while logged in), they have something that they can use to successfully identify as you on that page.
On some websites when logging in it may send your password in plaintext as well. If someone happened to catch that request.. well.. not good.
most really big companies and esp financial institutions should be fine because they are ridiculously slow to update their stuff and so aren't running the latest few versions of OpenSSL which contain the bug
[QUOTE=Eltro102;44501398]most really big companies and esp financial institutions should be fine because they are ridiculously slow to update their stuff and so aren't running the latest few versions of OpenSSL which contain the bug[/QUOTE]
Very true, but keep in mind we're talking 2-3 years of not updating here.
Wait so should I change my passwords? or are only developers vulnerable?
if I don't use steams site on a browser but change it via steam the program itself am I totally safe?
also, what sites are affected?
What sites are affected?
[QUOTE=EVIL WEVIL;44501428]Wait so should I change my passwords? or are only developers vulnerable?[/QUOTE]
At some point after April 7 everyone using steam was.
If you haven't logged in since then, you should be OK.
All you would need to do is log out and log back in to clear your session. [i](so even if they grabbed your session then, they can't do anything with it anymore)[/i]
[QUOTE=Perl;44501340]Basically what happened was that the vulnerability enabled attackers to see a bit of the server's memory. That memory might've contained some data left over from the last request or two, which would contain stuff like cookies and any other data sent in the request.
If an attacker gets hold of the cookies you send while requesting a page (while logged in), they have something that they can use to successfully identify as you on that page.
On some websites when logging in it may send your password in plaintext as well. If someone happened to catch that request.. well.. not good.[/QUOTE]
So if I haven't used a service in the last couple days (and it's now patched), chances are I won't have to worry about my password there?
Or did I misunderstand about Heartbleed only intercepting recent communications?
Keep in mind, the Heartbleed bug has been around for three years.
It was recently discovered, however, by a team of security researchers.
If you haven't been hacked in the last three years, you're probably fine.
Still, not a bad time to change your passwords if you're worried.
[QUOTE=Marik Bentusi;44501481]So if I haven't used a service in the last couple days (and it's now patched), chances are I won't have to worry about my password there?
Or did I misunderstand about Heartbleed only intercepting recent communications?[/QUOTE]
That is correct.
The vulnerability has existed since 2012, but it was only released to the public on April 7, when it was patched pretty much instantly.
Heartbleed only disclosed recent information (in most cases, anything from the last few seconds to milliseconds).
[QUOTE=usa;44501095]Oh also they haven't changed over to new certs yet.[/QUOTE]
[url]http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html#.U0W_k_ldWJp[/url]
[QUOTE=Marik Bentusi;44501481]So if I haven't used a service in the last couple days (and it's now patched), chances are I won't have to worry about my password there?
Or did I misunderstand about Heartbleed only intercepting recent communications?[/QUOTE]
The Heartbleed bug was only public in the last couple of days so that's when people would be using it maliciously. There's a [I]chance[/I] that this may have been exploited before it was publically discovered but it is very slim.
[QUOTE=Perl;44501474]At some point after April 7 everyone using steam was.
If you haven't logged in since then, you should be OK.
All you would need to do is log out and log back in to clear your session. [i](so even if they grabbed your session then, they can't do anything with it anymore)[/i][/QUOTE]
I've logged into steam every day but never via any browser, this would only apply if logging into steam using browsers right?
[QUOTE=Doomish;44501310]So... is it something I should actually be worried about? Most of the web news I've seen so far about it has begun with "CHANGE ALL OF YOUR PASSWORDS RIGHT NOW THE ENTIRE INTERNET IS FUCKED" so I'm really not sure what to take at face value and what to take with a grain of salt.
[editline]e[/editline]
the "entire internet is fucked" part is mostly exaggeration on my part but less so than I'd have hoped[/QUOTE]
Really you [I]should[/I] be changing your passwords but it's not something I would drop what I was doing and act immediately. I personally haven't changed any passwords yet.
[editline]9th April 2014[/editline]
[QUOTE=EVIL WEVIL;44501528]I've logged into steam every day but never via any browser, this would only apply if logging into steam using browsers right?[/QUOTE]
The client counts too. It's connecting to the same server using the same protocol.
[QUOTE=nomad1;44501191]It means someone could log into your developer account and tamper with your store page?[/QUOTE]
Yes, I assume at the exact moment that the person ran the exploit for whatever reason (just logged in?) the server had the Activision session details in memory.
Thanks for the answers so far, really appreciate it in this chaos.
One last question: When you're talking about "logging in", does that just mean typing in your username/password or is there also some communication going on when I visit a site that "remembered" I'm already logged in (via session cookie magic or something)?
[QUOTE=EVIL WEVIL;44501428]Wait so should I change my passwords? or are only developers vulnerable?[/QUOTE]
If its sessions as people seem to be suggesting then passwords don't really need changing, just that by doing so they (presumably) destroy the existing sessions making them impossible to use.
If someone exploited it and made massive discounts would steam still honor the sale of those games?
Even if our passwords did seen wouldn't having steamguard on pretty much prevent them from doing anything?
I'm not going to change my passwords until some time has passed for everyone to get their patches sorted.
As long as whatever service you use is still vulnerable, it makes no difference what age your credentials are - as many have stated, it's recent activity that's most easily gathered via the heartbleed vulnerability.
The best thing you can do to protect yourself is not interact with a vulnerable service.
[quote]
robits: so what i'm wondering is, would the steam client's logon trigger a web api based auth request
√oidy: yes
[/quote]
Alright, according to him whatever the case is [b]you should deauthorize steam guard devices and reset your password[/b] just to be sure as already tons of account details have been stolen.
SteamGuard won't help you here.
If you were logged into steam, authorized through SteamGuard, they'll also most likely have your SteamGuard authorization.
[QUOTE=Marik Bentusi;44501481]So if I haven't used a service in the last couple days (and it's now patched), chances are I won't have to worry about my password there?
Or did I misunderstand about Heartbleed only intercepting recent communications?[/QUOTE]
I don't think passwords are that much of a risk, unless for some reason the site is storing them in memory in plaintext. Even then its a very low possibility, what is the chance of [B]your[/B] password being in that 64kb of memory after the heartbeat at the exact moment someone exploits the server?
Sorry, you need to Log In to post a reply to this thread.