[PSA] ITAD: Steam login vulnerability

Closed

Since I see no thread about it, I will create one. Yesterday I got an Email from ITAD which reads like this:

Hello,
I'm writing you to disclose a Steam login vulnerability on our website that we have been notified about and already fixed.

The vulnerability allowed attacker to spoof login via Steam and access any account that was using Steam Single Sign-on on IsThereAnyDeal.
Attacker could be able to access only your ITAD account, your Steam account is safe!

We have no evidence that any of your accounts were accessed this way, we believe only admin accounts were targeted.

Although the issue is fixed, if you would like to switch from Steam Single Sign-On to email and password login, you can do that at any time in your settings: https://isthereanydeal.com/settings/account/

I am very sorry about this and we will do everything in our power to prevent any other future vulnerability.

Best regards,
Tomas

So now you know.

3 years ago

Comment has been collapsed.

16 Comments

Provos

Thanks for sharing this. I got the same email and didn't even think to share this.

3 years ago

Permalink

Comment has been collapsed.

MachinesAreHuman

What I asked myself after I got this E-Mail:

we only have steam single sign-on on Steamgifts... Is this save or should we also start to move to an email login

3 years ago

Permalink

Comment has been collapsed.

Rudokhvist

They say that they fixed it, so it was just a bad implementation. So I would not worry about SG.

3 years ago

Permalink

Comment has been collapsed.

Rudokhvist

I don't think there is much to discuss. Not that I'm using ITAD much, but what could go wrong if somebody gets access to my account? They will find out the games I want? They add some games to that list? Does not sound dangerous to me, inconvenient at most. It's still good that those guys fixed it, and it's great that they decided to inform users - that's the right thing to do, always.

3 years ago

Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 years ago.

3 years ago

Permalink

Comment has been collapsed.

andreeeeeww

wait, are we not supposed to mention gg.deals?

3 years ago

Permalink

Comment has been collapsed.

s4cr1f1c3

Funny thing is: I received this email a couple of hours after being forcibly kicked out of Steam twice while playing and asked to re-enter Steam Guard password on the steam login popup. Is this related? Have no clue. But I definitely found it quite weird. Never happened to me in many years.

3 years ago

Permalink

Comment has been collapsed.

Zarddin

It looks more like someone knows your password and tried to login to your account but Steam Guard didn't let them pass but since they used the right login and password Steam kicked you out.

3 years ago

Permalink

Comment has been collapsed.

shalmirane

It's unrelated, all the protentional attacker could do, was login as you and change your settings on ITAD site.

3 years ago

Permalink

Comment has been collapsed.

thoughtfulhippo

Read this, then checked my e-mail. Got one too. What's the worst that could happen? Someone maliciously add all that Steam shovelware to my wishlist,? Or delete everything on my wishlist (actually that might be doing me a favour)?

3 years ago

Permalink

Comment has been collapsed.

shalmirane

Worst I can think of is perhaps set your Steam store to look 20% more expensive so that you would go to other store.

3 years ago

Permalink

Comment has been collapsed.

Deleted

This comment was deleted 11 months ago.

3 years ago

Permalink