Valve has remedied a major potential privacy issue with the Steam Community website after it was brought to the company's attention by Ars. The flaw allowed anyone to view game purchase history, achievement history, recent play time, and more—even for Steam users that had set their profiles to private.
I recently discovered the privacy hole when fiddling with Steam's profile settings and examining the source code behind the site. Since the problem exposed potentially sensitive data about Steam users, the examples cited in this article will primarily be from my personal profile. That said, we independently confirmed that the privacy hole applied to any profile that was set to "Private" or "Friends only." Many such profiles could be easily discovered using Google without prior knowledge of the user's Steam ID number or name.
Out of respect for the privacy of Steam's more than 50 million users, we did not immediately publish our discovery of this privacy hole. Instead, we documented the problem and notified Valve of the issue late on Monday evening. Within three hours of sending our message, our spot checks showed that the problem appeared to be remedied.
Despite apparently fixing the issue, Valve has not officially commented on the matter, or even acknowledged that it was made aware of the problem. This lack of response would likely not be appreciated by security researchers and users, and the company's silence may discourage future "private disclosure" of security flaws. Cooperation with users and security researchers is standard from companies like Microsoft and Google and is crucial to ensure software and services are as secure as they can be.
The hole
If you went to my Steam community profile page before Monday, it would correctly show my profile as private (as it still does). You would get the same message if you tried to force the website to show a list of my Steam games, by adding "/games/?tab=all" to the end of the URL (e.g., http://steamcommunity.com/id/KyleOrl/games/?tab=all).
Viewing the HTML source code of that page, however, revealed a good deal of data that Steam users might want to keep private. Anyone looking at the source of this page could get a complete and apparently accurate list of every game in any private Steam library through a plaintext JavaScript definition for an array named rgGames[].
As you can see in the screenshot below and in this complete PasteBin copy of the source taken before the hole was fixed, this list is relatively human-readable, despite a lot of JavaScript cruft surrounding it. Fortunately, other data that is usually included in public user profiles, such as total playtime for each game, seems to have been suppressed in private profiles.
The potential for privacy breaches continue from there. Using the revealed list of games and a minor amount of URL modification, anyone could expose a private Steam user's Achievement page for the game in question. To access this page for Portal 2, for instance, you would simply add "stats/Portal2/?tab=achievements" to the end of a user's standard profile URL (i.e. http://steamcommunity.com/id/KyleOrl/stats/Portal2/?tab=achievements). This page is usually not publicly linked for users whose Steam profiles are set to private, and relying on security through obscurity proved insufficient.
Aside from revealing gameplay details to some extent, the Achievements page also exposes precisely when those Achievements were earned, and consequently some information about when the Steam user was playing that game. This could be considered sensitive information, especially for a Steam user that had gone to the trouble of setting their profile to Private. The Achievements pages also reveal how much the user has been playing each game in the last two weeks.
For games that track multiplayer stats, a bit of URL work can also reveal a complete history of a private user's online records, favorite characters, and more. The below example shows such data for a private player of Payday: The Heist, whose name has been blurred out for privacy reasons.
Furthermore, the same basic method can be used to expose a private user's Badge page, by simply adding "/badges/" to the end of a private user page URL. This page easily showed the world roughly when the private Steam account was created, and it could also reveal incidental information such as whether the account is linked to Facebook or if there are any friends associated with the account.
Now that the privacy hole has been plugged, Steam users need not take any additional action to protect their sensitive data (though concerned users should check their Steam settings to ensure that their profile is set to Private, if they don't want their information publicly viewable). Trying any of the URL modifications mentioned above for a private account now redirects a visitor harmlessly to the Steam user's main profile page, which simply states, "This profile is private" (and contains no additional relevant information hidden in the HTML).
Given the obscurity of the issue and the relatively small proportion of Steam users that use Private profiles, it's unlikely anyone's data was seriously compromised by the oversight. Still, the whole affair goes to show that options to opt out of sharing features for some social networks may not be as airtight as they seem.
reader comments
54