Sign in with
Sign up | Sign in

Security Flaw Found in Steam Guard Process

By - Source: The Inquirer

Never dish out your SSFN file.

The Inquirer reports that security firm Malwarebytes has discovered a way to steal Steam accounts by bypassing Steam Guard.

Typically, when a Steam customer tries to log in using a different PC, a different browser and/or a different device, a pop-up window will appear asking to enter a code that is delivered to the user's email address. Without this code, it's nearly impossible to log into the account.

However, in order for scammers to break into a Steam account, the victim must be driven to a fake login page. "Typically a Steam phish page asks for Username and Password, like all phish attacks - often these can be foiled by enabling Steam Guard on your account," said Malwarebytes intelligence analyst Christopher Boyd.

The fake Steam page will present the same pop-up Steam Guard window, but will ask for something different: the user's SSFN file. This file is what prevents users from having to reveal their identity through Steam Guard each time they try to log into their account via a browser. If the user deletes this file, then he/she would be required to identify themselves again, thus generating a new SSFN file.

Thus in order to get into a user's account, all hackers supposedly have to do is take that SSFN file and drop it into the Steam directory on the scammer's computer.

"We did some testing and can confirm that this technique - asking a victim to send their SSFN file to the scammer - does indeed work," Boyd explained. But if the Steam user tries to log in from a different computer or browser, they will get the original credentials request. At this point, the hacker can't get into the account unless he/she has control over the user's email address.

So why is stealing a Steam account a big deal other than acquiring a boat-load of free games?

"Compromised Steam accounts are big business, especially for those wanting to hijack accounts which have rare in-game items in their inventory. They'll 'trade' the items off to an account owned by the scammer, who will then go on to sell them for their own gain on the Steam Marketplace, buying games with the newly acquired funds in their Steam Wallet," Boyd said.

Hackers will also have access to the victim's purchase library, and be able to change the account's current email address, the current password, disable Steam Guard, change the payment info and so on. Of course, if users don't store their credit card information in Steam, that's one less thing to worry about.

Valve Software is currently aware of the issue, and the forum moderators are alerting all Steam users. Unfortunately, the report doesn't say how users end up on a fake Steam login page. Just keep in mind that if anyone asks for the SSFN file, ignore the request because handing that file over will be very bad news.

Add your comment Display 23 Comments.
Top Comments
  • 16 Hide
    frozendarkness , April 17, 2014 5:42 PM
    you have to be outright retarded to fall for this. i swear, it's like telling me the lock on my door isn't effective because robbers can just ask for my key
Other Comments
  • 16 Hide
    frozendarkness , April 17, 2014 5:42 PM
    you have to be outright retarded to fall for this. i swear, it's like telling me the lock on my door isn't effective because robbers can just ask for my key
  • -4 Hide
    tomfreak , April 17, 2014 5:43 PM
    I only login my steam Accounts on my computer, sooo the only way they get my SSFN file is go through 2 layers of firewalls = win8 + Comodo/zonealarm combo steal my SSFN file by taking it from my computer via internet, as it is no way I will give the SSFN file directly to them.
  • 2 Hide
    suture , April 17, 2014 5:59 PM
    Old News, discovered this ages ago, copied my steam folder to a pen drive, runned in another PC and steam didnt asked for the steam guard code.
    So i logically assumed the security info was stored somewhere in a file in the steam folder.
  • 1 Hide
    ferooxidan , April 17, 2014 6:15 PM
    Lol, I've been transferring my Steam folders to each and every desktop and laptop i have in order not to redownload games again. No authentication required and Steam automatically log in into my account. That easy.
  • 0 Hide
    jimmysmitty , April 17, 2014 7:17 PM
    I only log into Steam itself, almost never through the website unless Steam itself is down and even then I check the mobile app first.
  • 0 Hide
    Darkk , April 17, 2014 8:19 PM
    Well the cat is out of the bag so they may change this.
  • -3 Hide
    Kevin McCormick , April 17, 2014 9:20 PM
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.
  • 4 Hide
    puggle man , April 17, 2014 10:06 PM
    Quote:
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.


    Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
  • 0 Hide
    w8gaming , April 17, 2014 11:19 PM
    some companies tries to identify the range of similar ip assigned by your ISP and won't ask for re-authentication if they are deemed from the same ISP. Blizzard does this. Guild Wars 2 does this as well. But GW2 always failed to detect the dynamic ips are from the same ISP.
  • 1 Hide
    Kelthar , April 18, 2014 2:18 AM
    I don't get how is it that MalwareBytes is given the credit for finding this out.

    I've seen warnings around, even by moderators on reddit (/r/steam) to not give out that file; about a month ago. Lots of people talking about this on different locations, so unless this was found out months ago by MalwareBytes, I don't think they deserve the credit.
  • 1 Hide
    Nefail Bushi , April 18, 2014 3:00 AM
    How can you call this a flaw? If you are dumb enough to send a copy of whole HDD to someone don't complain that he got all your documents cause you sent them dumb ass.
  • 3 Hide
    mopman411 , April 18, 2014 3:25 AM
    Quote:
    Quote:
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.


    Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.


    Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.
  • 0 Hide
    c123456 , April 18, 2014 4:25 AM
    Quote:
    Quote:
    Quote:
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.


    Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.


    Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.


    I was ready to +1 this at first, but now I'm not to sure what you mean by this. Simply keeping the MAC address in the file wouldn't help since macs can be spoofed. The best way would be to use the MAC address as a salt in some sort of encryption scheme. It's a hell of a lot slower, but the frequency of doing this per user shouldn't cause an impact on user experience.
  • -1 Hide
    Kevin McCormick , April 18, 2014 5:40 AM
    Quote:
    Quote:
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.


    Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.


    I do not expect IPs change that often even if dynamically assigned.

    I've had the same IP for months, before that years. Only reason the IP change was me replacing router.
  • 0 Hide
    Kevin McCormick , April 18, 2014 5:47 AM
    Quote:
    Quote:
    Quote:
    Quote:
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.


    Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.


    Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.


    I was ready to +1 this at first, but now I'm not to sure what you mean by this. Simply keeping the MAC address in the file wouldn't help since macs can be spoofed. The best way would be to use the MAC address as a salt in some sort of encryption scheme. It's a hell of a lot slower, but the frequency of doing this per user shouldn't cause an impact on user experience.


    The idea would be for Valve at login to check the file information, they know the IP address of requester, MAC address could alternatively be fetched and checked, then compare information with their own internal database. They MAC or IP would not have to be in file, although could be part of a hashing scheme.
  • 0 Hide
    soccerplayer88 , April 18, 2014 5:51 AM
    Quote:
    Quote:
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.


    Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.


    Steam Guard remembers your PC for 30 days after a successful login (snapshot of system config). This also takes a snapshot of your MAC address. As long as those two line up you won't have a problem. Dynamic IP address or not.
  • 1 Hide
    randomizer , April 18, 2014 6:57 AM
    This is not a security flaw in Steam Guard, or any process for that matter. This is a flaw in the user. It's just a standard social engineering attack. One could just as easily say that Steam itself has a security flaw because an attacker need only ask the user for their password and they're in.
  • 0 Hide
    n3cw4rr10r , April 18, 2014 11:02 AM
    So let me get this straight: If you are stupid enough to give someone your username and password and access to your computer so they can steal your SSFN file, it means Steam Guard has a security flaw? WTF kind of logic is that?
  • 0 Hide
    aule10 , April 18, 2014 11:17 AM
    Quote:
    So let me get this straight: If you are stupid enough to give someone your username and password and access to your computer so they can steal your SSFN file, it means Steam Guard has a security flaw? WTF kind of logic is that?


    Almost, not acces to the computer, just send over the SSFN file from your steam folder.
  • 1 Hide
    returnzork , April 18, 2014 5:22 PM
    This isn't very new. It has been reported before, and has not been "discovered" recently.
Display more comments
React To This Article