Security Flaw Found in Steam Guard Process

The Inquirer reports that security firm Malwarebytes has discovered a way to steal Steam accounts by bypassing Steam Guard.

Typically, when a Steam customer tries to log in using a different PC, a different browser and/or a different device, a pop-up window will appear asking to enter a code that is delivered to the user's email address. Without this code, it's nearly impossible to log into the account.

However, in order for scammers to break into a Steam account, the victim must be driven to a fake login page. "Typically a Steam phish page asks for Username and Password, like all phish attacks - often these can be foiled by enabling Steam Guard on your account," said Malwarebytes intelligence analyst Christopher Boyd.

The fake Steam page will present the same pop-up Steam Guard window, but will ask for something different: the user's SSFN file. This file is what prevents users from having to reveal their identity through Steam Guard each time they try to log into their account via a browser. If the user deletes this file, then he/she would be required to identify themselves again, thus generating a new SSFN file.

Thus in order to get into a user's account, all hackers supposedly have to do is take that SSFN file and drop it into the Steam directory on the scammer's computer.

"We did some testing and can confirm that this technique - asking a victim to send their SSFN file to the scammer - does indeed work," Boyd explained. But if the Steam user tries to log in from a different computer or browser, they will get the original credentials request. At this point, the hacker can't get into the account unless he/she has control over the user's email address.

So why is stealing a Steam account a big deal other than acquiring a boat-load of free games?

"Compromised Steam accounts are big business, especially for those wanting to hijack accounts which have rare in-game items in their inventory. They'll 'trade' the items off to an account owned by the scammer, who will then go on to sell them for their own gain on the Steam Marketplace, buying games with the newly acquired funds in their Steam Wallet," Boyd said.

Hackers will also have access to the victim's purchase library, and be able to change the account's current email address, the current password, disable Steam Guard, change the payment info and so on. Of course, if users don't store their credit card information in Steam, that's one less thing to worry about.

Valve Software is currently aware of the issue, and the forum moderators are alerting all Steam users. Unfortunately, the report doesn't say how users end up on a fake Steam login page. Just keep in mind that if anyone asks for the SSFN file, ignore the request because handing that file over will be very bad news.

  • frozendarkness
    you have to be outright retarded to fall for this. i swear, it's like telling me the lock on my door isn't effective because robbers can just ask for my key
  • tomfreak
    I only login my steam Accounts on my computer, sooo the only way they get my SSFN file is go through 2 layers of firewalls = win8 + Comodo/zonealarm combo steal my SSFN file by taking it from my computer via internet, as it is no way I will give the SSFN file directly to them.
  • suture
    Old News, discovered this ages ago, copied my steam folder to a pen drive, runned in another PC and steam didnt asked for the steam guard code.
    So i logically assumed the security info was stored somewhere in a file in the steam folder.
  • ferooxidan
    Lol, I've been transferring my Steam folders to each and every desktop and laptop i have in order not to redownload games again. No authentication required and Steam automatically log in into my account. That easy.
  • jimmysmitty
    I only log into Steam itself, almost never through the website unless Steam itself is down and even then I check the mobile app first.
  • Darkk
    Well the cat is out of the bag so they may change this.
  • Kevin McCormick
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.
  • puggle man
    Simple fix is to tie the SSFN to a single IP address. Even with file scammer will have a different IP. Draw back is every time you switch IP addresses, with a laptop for example, you would have to re-authenticate through Steam Guard.

    Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
  • w8gaming
    some companies tries to identify the range of similar ip assigned by your ISP and won't ask for re-authentication if they are deemed from the same ISP. Blizzard does this. Guild Wars 2 does this as well. But GW2 always failed to detect the dynamic ips are from the same ISP.
  • Kelthar
    I don't get how is it that MalwareBytes is given the credit for finding this out.

    I've seen warnings around, even by moderators on reddit (/r/steam) to not give out that file; about a month ago. Lots of people talking about this on different locations, so unless this was found out months ago by MalwareBytes, I don't think they deserve the credit.