Security Flaw Found in Steam Guard Process

[exfileme]

Never dish out your SSFN file.

Security Flaw Found in Steam Guard Process : Read more

 

[frozendarkness]

you have to be outright retarded to fall for this. i swear, it's like telling me the lock on my door isn't effective because robbers can just ask for my key

 

[tomfreak]

I only login my steam Accounts on my computer, sooo the only way they get my SSFN file is go through 2 layers of firewalls = win8 + Comodo/zonealarm combo steal my SSFN file by taking it from my computer via internet, as it is no way I will give the SSFN file directly to them.

 

[suture]

Old News, discovered this ages ago, copied my steam folder to a pen drive, runned in another PC and steam didnt asked for the steam guard code.
So i logically assumed the security info was stored somewhere in a file in the steam folder.

 

[ferooxidan]

Lol, I've been transferring my Steam folders to each and every desktop and laptop i have in order not to redownload games again. No authentication required and Steam automatically log in into my account. That easy.

 

[jimmysmitty]

I only log into Steam itself, almost never through the website unless Steam itself is down and even then I check the mobile app first.

 

[Darkk]

Well the cat is out of the bag so they may change this.

 

[Kevin McCormick]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

 

[puggle man]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

 

[w8gaming]

some companies tries to identify the range of similar ip assigned by your ISP and won't ask for re-authentication if they are deemed from the same ISP. Blizzard does this. Guild Wars 2 does this as well. But GW2 always failed to detect the dynamic ips are from the same ISP.

 

[Kelthar]

I don't get how is it that MalwareBytes is given the credit for finding this out.

I've seen warnings around, even by moderators on reddit (/r/steam) to not give out that file; about a month ago. Lots of people talking about this on different locations, so unless this was found out months ago by MalwareBytes, I don't think they deserve the credit.

 

[Nefail Bushi]

How can you call this a flaw? If you are dumb enough to send a copy of whole HDD to someone don't complain that he got all your documents cause you sent them dumb ass.

 

[mopman411]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.

 

[c123456]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.

I was ready to +1 this at first, but now I'm not to sure what you mean by this. Simply keeping the MAC address in the file wouldn't help since macs can be spoofed. The best way would be to use the MAC address as a salt in some sort of encryption scheme. It's a hell of a lot slower, but the frequency of doing this per user shouldn't cause an impact on user experience.

 

[Kevin McCormick]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

I do not expect IPs change that often even if dynamically assigned.

I've had the same IP for months, before that years. Only reason the IP change was me replacing router.

 

[Kevin McCormick]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.

I was ready to +1 this at first, but now I'm not to sure what you mean by this. Simply keeping the MAC address in the file wouldn't help since macs can be spoofed. The best way would be to use the MAC address as a salt in some sort of encryption scheme. It's a hell of a lot slower, but the frequency of doing this per user shouldn't cause an impact on user experience.

The idea would be for Valve at login to check the file information, they know the IP address of requester, MAC address could alternatively be fetched and checked, then compare information with their own internal database. They MAC or IP would not have to be in file, although could be part of a hashing scheme.

 

[soccerplayer88]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

Steam Guard remembers your PC for 30 days after a successful login (snapshot of system config). This also takes a snapshot of your MAC address. As long as those two line up you won't have a problem. Dynamic IP address or not.

 

[randomizer]

This is not a security flaw in Steam Guard, or any process for that matter. This is a flaw in the user. It's just a standard social engineering attack. One could just as easily say that Steam itself has a security flaw because an attacker need only ask the user for their password and they're in.

 

[n3cw4rr10r]

So let me get this straight: If you are stupid enough to give someone your username and password and access to your computer so they can steal your SSFN file, it means Steam Guard has a security flaw? WTF kind of logic is that?

 

[aule10]

So let me get this straight: If you are stupid enough to give someone your username and password and access to your computer so they can steal your SSFN file, it means Steam Guard has a security flaw? WTF kind of logic is that?

Almost, not acces to the computer, just send over the SSFN file from your steam folder.

 

[returnzork]

This isn't very new. It has been reported before, and has not been "discovered" recently.

 

[Zombie615]

Yeah I guess you'd have to be an idiot to fall for that. I mean really who would think that steam would ask you to go into your files and send them a certain file just to log in? I'd hope no one but apparently not lol

 

[coolitic]

How is this new?

This is just like every other kind of phising. If you actually fall for it, then you're in trouble.

 

[Master467]

Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

I had the same IP for 6 years, and it just changed last week. Im kinda sad, because i had it memorized. This was just normal internet, nothing special and i did not pay to keep one IP. It does happen, just not often i guess.