Heartbleed bug in OpenSSL is major security risk, patches rolling out now

Jun 29, 2013
17,990
22
0
Hungary
#1
Update:

Valve says vulnerabilities on http://steamcommunity.com have been resolved. We suggest changing your password and resetting SteamGuard now.
https://twitter.com/SteamDB/status/453598542943498240

For those wondering how to reset SteamGuard, go to Steam's settings, manage SteamGuard and click the checkbox + next.
https://twitter.com/SteamDB/status/453601646690705408/photo/1

Issues with partner specific Steam websites have also been resolved. Devs should change their pass and reset SteamGuard immediately.
https://twitter.com/SteamDB/status/453605791627743232

-----

Just saw these. SteamDB posted them an hour ago.

https://twitter.com/SteamDB

We recommend NOT using any Steam services until Valve issues a fix for a recently discovered vulnerability. We've contacted them about it.
This vulnerability is especially dangerous for Steam partners (unless you wants your things leaked).
@Jessassin It's a dangerous issue to everyone, it's more dangerous for developers because they deal with more sensitive content.
@Patschi95 It's the Heartbleed issue.
@SteamDB We need to log off from steam and all sites that using steam open id log in? Also you're gonna inform us if this gets fixed,right?

@MKovacevic91 We'll inform you when it's fixed, and it's better to not do anything at the moment including logging off sites.
http://heartbleed.com/

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
more at the link
 
Feb 3, 2014
1,002
0
0
#8
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.
 
Feb 7, 2013
2,799
0
0
#11
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.
theoretically you shouldn't even log out of steam, since it still sends out info to the server when you do that.
 
Jun 29, 2013
17,990
22
0
Hungary
#12
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.
@SteamDB We need to log off from steam and all sites that using steam open id log in? Also you're gonna inform us if this gets fixed,right?


@MKovacevic91 We'll inform you when it's fixed, and it's better to not do anything at the moment including logging off sites.
.
 

TheD

The Detective
Mar 29, 2012
3,575
0
0
The trash cans outside your house.
#17
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.
Well, the problem is that OpenSSL allows a remote attacker to read 64KB of memory that OpenSSL has access to per each TLS heartbeat (not sure what TLS heartbeat does TBH) and not leave any trace.
That means an attacker can steal your credentials (like your Steam name and password) and any content that is fed over SSL.
 

TheD

The Detective
Mar 29, 2012
3,575
0
0
The trash cans outside your house.
#23
What if I saved my password in the computer on which I installed the Steam client so I don't have to enter it every time I use Steam? It's safe or not to use it?
It is no different entering your password by hand or having a local system remember it for you, it still needs to get sent to the server (and thus end up in the server's memory).
 

JaseC

gave away the keys to the kingdom.
Jul 30, 2009
73,803
6
890
Western Australia
#31
"Only"

That's close to 2 years of every OpenSSL release that is vulnerable.
A poor word choice, admittedly, but my point is simply that if Valve has been keeping its OpenSSL version up-to-date then it has nothing to worry about.

Tried it multiple times, still the same for store.steampowered.com. But yahoo.com and steamcommunity.com come back as vulnerable.
Ditto.
 
May 22, 2012
802
0
0
#35
A poor word choice, admittedly, but my point is simply that if Valve has been keeping its OpenSSL version up-to-date then it has nothing to worry about.
Well the non-vulnerable version only came out yesterday so it is not surprising that they haven't updated it yet. Just reading about the scale of the bug, I think having Steam compromised might be the least of our concerns.
 

benny_a

extra source of jiggaflops
Apr 25, 2009
17,350
0
0
#36
A poor word choice, admittedly, but my point is simply that if Valve has been keeping its OpenSSL version up-to-date then it has nothing to worry about.
The first OpenSSL version since March 2012 that isn't affected by this was released yesterday. The reason this vulnerability is known to the public is because it has been patched yesterday.
 
Jan 16, 2007
42,665
3
920
#48
Does green mean "safe" or "the check succeeded" (hence the site is vulnerable)? That's an important distinction!

Either way, yay for my next game being something I've already downloaded from GoG (which is *also* showing vulnerabilities).

Edit: The guy wrote a little FAQ; 'red' means 'vulnerable'; a 'false green' is therefore reporting that it's secure when it's not - hence why sometimes retries show differing results, and the 'fail' attempt is the definite one.

Edit2: Steam's now not showing any issues. Fixed already?
 
May 24, 2012
20,246
1
550
#49
Does green mean "safe" or "the check succeeded" (hence the site is vulnerable)? That's an important distinction!

Either way, yay for my next game being something I've already downloaded from GoG.

Edit: The guy wrote a little FAQ; 'red' means 'vulnerable'; a 'false green' is therefore reporting that it's secure when it's not - hence why sometimes retries show differing results, and the 'fail' attempt is the definite one.
I figured that was the case. It'd be much easier to get a false safe result than a false positive result.