Unexpected Christmas presents: how Steam served the wrong user data

If you are a computer gamer, chances are that you use Valve Corporation’s Steam service. A cross-platform games planet, it sells, delivers and maintains games, supports multiplayer games, and even provides social networking among gamers. With over 6,400 games currently available, and more than 125 million active users, it must own the majority of the whole computer games market.

It came as a bit of a surprise to the 10 million or so who were logged onto the Steam servers on Christmas Day when they started to see details of other users’ accounts. Not that they could access those accounts, but according to the independent Steam Database, information revealed included email and billing addresses, and possibly – just possibly – some credit card details.

Steam’s shutdown on Christmas Day is shown as the hour or so of 0% service on the graph.

The alarm was raised via Twitter, and Valve Corporation took its service offline for an expensive hour whilst they fixed the problem. For the time being, it was most probably the result of a single misconfiguration on the servers: one flag controlling caching which should have been set to NO becoming set to YES instead.

Steam runs on Akamai’s servers, in common with many of Apple’s commercial services, and those of several other major players. Like many services, Steam uses caches – temporary data stores – to improve the performance of its interface. Normally those caches are separated according to user sessions, so that you cannot see data which was cached for me. It is most likely that what happened is someone changed that single flag, for X-Check-Cacheable, which cached everything regardless of user sessions, so everyone started seeing everyone’s cached data.

There is currently no suggestion that this extraordinary event was the result of a deliberate attack, although given its effect on users, their private information, and Valve’s revenues, it could as well have been.

No one knows how many Steam users saw information which they should not have seen during the hour or so before Valve shut its service down. So far, there are no reports of any misuse of any of the leaked private information, and no one seems to have come to any harm.

This is not the first security problem encountered by the Steam service. Steam Database has previously raised a series of concerns, some of which have been addressed by Valve, as detailed here.

What is most surprising about this particular incident is its exposure of a single point of failure in Steam’s design for privacy (and security): by toggling a single flag in the server, the service went from working normally and respecting the boundaries for each user, to serving any and all information it happened to have to hand.

It does not take an experienced security researcher to spot that this is a glaring flaw in the design of the service. As a US-based corporation, Valve’s operations in Europe are subject to EU law through its offices in Luxembourg. Presumably this data breach has already been reported to its national data protection authority, the CNPD, as required under European Law. It will be very interesting to see what the CNPD makes of this single point of failure, and whether its presence is compatible with the responsibilities of Valve Corporation to take adequate measures to protect the privacy of its users’ data.

Or maybe everyone is just hoping that we will forgive and forget.