Security Flaw Found in Steam Guard Process

Status
Not open for further replies.

frozendarkness

Distinguished
Mar 10, 2010
24
0
18,510
you have to be outright retarded to fall for this. i swear, it's like telling me the lock on my door isn't effective because robbers can just ask for my key
 

tomfreak

Distinguished
May 18, 2011
1,334
0
19,280
I only login my steam Accounts on my computer, sooo the only way they get my SSFN file is go through 2 layers of firewalls = win8 + Comodo/zonealarm combo steal my SSFN file by taking it from my computer via internet, as it is no way I will give the SSFN file directly to them.
 

suture

Distinguished
Jun 13, 2011
35
0
18,530
Old News, discovered this ages ago, copied my steam folder to a pen drive, runned in another PC and steam didnt asked for the steam guard code.
So i logically assumed the security info was stored somewhere in a file in the steam folder.
 

ferooxidan

Honorable
Apr 15, 2013
427
0
10,860
Lol, I've been transferring my Steam folders to each and every desktop and laptop i have in order not to redownload games again. No authentication required and Steam automatically log in into my account. That easy.
 

Kevin McCormick

Reputable
Apr 18, 2014
5
0
4,510
Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.
 

puggle man

Distinguished
Jun 16, 2010
17
0
18,510
Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
 

w8gaming

Honorable
Dec 21, 2012
171
0
10,680
some companies tries to identify the range of similar ip assigned by your ISP and won't ask for re-authentication if they are deemed from the same ISP. Blizzard does this. Guild Wars 2 does this as well. But GW2 always failed to detect the dynamic ips are from the same ISP.
 

Kelthar

Honorable
Mar 27, 2013
640
0
11,360
I don't get how is it that MalwareBytes is given the credit for finding this out.

I've seen warnings around, even by moderators on reddit (/r/steam) to not give out that file; about a month ago. Lots of people talking about this on different locations, so unless this was found out months ago by MalwareBytes, I don't think they deserve the credit.
 

Nefail Bushi

Reputable
Apr 18, 2014
10
0
4,510
How can you call this a flaw? If you are dumb enough to send a copy of whole HDD to someone don't complain that he got all your documents cause you sent them dumb ass.
 

mopman411

Distinguished
Jan 15, 2008
104
0
18,710
Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.
 

c123456

Honorable
Feb 3, 2014
61
0
10,630
Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.

I was ready to +1 this at first, but now I'm not to sure what you mean by this. Simply keeping the MAC address in the file wouldn't help since macs can be spoofed. The best way would be to use the MAC address as a salt in some sort of encryption scheme. It's a hell of a lot slower, but the frequency of doing this per user shouldn't cause an impact on user experience.
 

Kevin McCormick

Reputable
Apr 18, 2014
5
0
4,510


I do not expect IPs change that often even if dynamically assigned.

I've had the same IP for months, before that years. Only reason the IP change was me replacing router.
 

Kevin McCormick

Reputable
Apr 18, 2014
5
0
4,510


The idea would be for Valve at login to check the file information, they know the IP address of requester, MAC address could alternatively be fetched and checked, then compare information with their own internal database. They MAC or IP would not have to be in file, although could be part of a hashing scheme.
 

soccerplayer88

Distinguished
Feb 1, 2010
227
0
18,680
Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

Steam Guard remembers your PC for 30 days after a successful login (snapshot of system config). This also takes a snapshot of your MAC address. As long as those two line up you won't have a problem. Dynamic IP address or not.
 

randomizer

Champion
Moderator
This is not a security flaw in Steam Guard, or any process for that matter. This is a flaw in the user. It's just a standard social engineering attack. One could just as easily say that Steam itself has a security flaw because an attacker need only ask the user for their password and they're in.
 

n3cw4rr10r

Distinguished
Mar 14, 2013
1,119
0
19,660
So let me get this straight: If you are stupid enough to give someone your username and password and access to your computer so they can steal your SSFN file, it means Steam Guard has a security flaw? WTF kind of logic is that?
 

aule10

Honorable
Jan 30, 2014
34
0
10,530
So let me get this straight: If you are stupid enough to give someone your username and password and access to your computer so they can steal your SSFN file, it means Steam Guard has a security flaw? WTF kind of logic is that?

Almost, not acces to the computer, just send over the SSFN file from your steam folder.
 

Zombie615

Honorable
Feb 9, 2014
487
0
10,810
Yeah I guess you'd have to be an idiot to fall for that. I mean really who would think that steam would ask you to go into your files and send them a certain file just to log in? I'd hope no one but apparently not lol
 

Master467

Honorable
Jun 12, 2013
117
0
10,690
Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.


Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.

I had the same IP for 6 years, and it just changed last week. Im kinda sad, because i had it memorized. This was just normal internet, nothing special and i did not pay to keep one IP. It does happen, just not often i guess.
 
Status
Not open for further replies.