• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Heartbleed bug in OpenSSL is major security risk, patches rolling out now

Update:

Valve says vulnerabilities on http://steamcommunity.com have been resolved. We suggest changing your password and resetting SteamGuard now.

https://twitter.com/SteamDB/status/453598542943498240

For those wondering how to reset SteamGuard, go to Steam's settings, manage SteamGuard and click the checkbox + next.

https://twitter.com/SteamDB/status/453601646690705408/photo/1

Issues with partner specific Steam websites have also been resolved. Devs should change their pass and reset SteamGuard immediately.

https://twitter.com/SteamDB/status/453605791627743232

-----

Just saw these. SteamDB posted them an hour ago.

https://twitter.com/SteamDB

We recommend NOT using any Steam services until Valve issues a fix for a recently discovered vulnerability. We've contacted them about it.

This vulnerability is especially dangerous for Steam partners (unless you wants your things leaked).

@Jessassin It's a dangerous issue to everyone, it's more dangerous for developers because they deal with more sensitive content.

@Patschi95 It's the Heartbleed issue.

@SteamDB We need to log off from steam and all sites that using steam open id log in? Also you're gonna inform us if this gets fixed,right?

@MKovacevic91 We'll inform you when it's fixed, and it's better to not do anything at the moment including logging off sites.

http://heartbleed.com/

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

more at the link
 

JaseC

gave away the keys to the kingdom.
Do we know what version of OpenSSL Valve uses? As per the Heardbleed Bug site only 1.0.1 up to and including 1.0.1f are vulnerable.
 
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.
 

benny_a

extra source of jiggaflops
Do we know what version of OpenSSL Valve uses? As per the Heardbleed Bug site only 1.0.1 up to and including 1.0.1f are vulnerable.
"Only"

That's close to 2 years of every OpenSSL release that is vulnerable.
 
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.

theoretically you shouldn't even log out of steam, since it still sends out info to the server when you do that.
 
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.

@SteamDB We need to log off from steam and all sites that using steam open id log in? Also you're gonna inform us if this gets fixed,right?


@MKovacevic91 We'll inform you when it's fixed, and it's better to not do anything at the moment including logging off sites.

.
 
So since when is it this Heartbleed bug known? Because i logged into steam yesterday. And logged out from steam yesterday.

Am i one the save side?
 
So since when is it this Heartbleed bug known? Because i logged into steam yesterday. And logged out from steam yesterday.

Am i one the save side?

reading that site, this looks multiple years old, but looking at reddit, threads came up 15 hours ago and SteamDB tweeted an hour ago.
 

TheD

The Detective
That sounds pretty scary, I hope it gets fixed soon.
I don't really understand it 100%, so should I just log out of Steam and then not touch it again until it is fixed or should I do something else?

Just want to be on the safe side, so best ask since you lot seem to know what you're talking about.

Well, the problem is that OpenSSL allows a remote attacker to read 64KB of memory that OpenSSL has access to per each TLS heartbeat (not sure what TLS heartbeat does TBH) and not leave any trace.
That means an attacker can steal your credentials (like your Steam name and password) and any content that is fed over SSL.
 
If someone wants to test a site: http://filippo.io/Heartbleed/

Although...



Who to trust?

That's not how it came up for me...

BTFSRj9.png

(edit) Looks like yahoo is vulnerable as well... Gmail seems fine.
 
What if I saved my password in the computer on which I installed the Steam client so I don't have to enter it every time I use Steam? It's safe or not to use it?
 

TheD

The Detective
What if I saved my password in the computer on which I installed the Steam client so I don't have to enter it every time I use Steam? It's safe or not to use it?

It is no different entering your password by hand or having a local system remember it for you, it still needs to get sent to the server (and thus end up in the server's memory).
 
Tested a few sites, Nintendo, Microsoft, and Sony's stores all look clear. (figured that's good information on Neogaf)

(edit) Or not...
 
Second try (first was okay):



Don't know if this test is 100% reliable though.

Huh... I tested it like 4-5 times and it came back fine... That said, if it comes back even once negative I wouldn't trust it till we got confirmation it was fixed.

(edit) GOG also came up bad.
 

JaseC

gave away the keys to the kingdom.
"Only"

That's close to 2 years of every OpenSSL release that is vulnerable.

A poor word choice, admittedly, but my point is simply that if Valve has been keeping its OpenSSL version up-to-date then it has nothing to worry about.

Tried it multiple times, still the same for store.steampowered.com. But yahoo.com and steamcommunity.com come back as vulnerable.

Ditto.
 

Chili

Member
A poor word choice, admittedly, but my point is simply that if Valve has been keeping its OpenSSL version up-to-date then it has nothing to worry about.

Well the non-vulnerable version only came out yesterday so it is not surprising that they haven't updated it yet. Just reading about the scale of the bug, I think having Steam compromised might be the least of our concerns.
 

benny_a

extra source of jiggaflops
A poor word choice, admittedly, but my point is simply that if Valve has been keeping its OpenSSL version up-to-date then it has nothing to worry about.
The first OpenSSL version since March 2012 that isn't affected by this was released yesterday. The reason this vulnerability is known to the public is because it has been patched yesterday.
 

mclem

Member

Does green mean "safe" or "the check succeeded" (hence the site is vulnerable)? That's an important distinction!

Either way, yay for my next game being something I've already downloaded from GoG (which is *also* showing vulnerabilities).

Edit: The guy wrote a little FAQ; 'red' means 'vulnerable'; a 'false green' is therefore reporting that it's secure when it's not - hence why sometimes retries show differing results, and the 'fail' attempt is the definite one.

Edit2: Steam's now not showing any issues. Fixed already?
 
Does green mean "safe" or "the check succeeded" (hence the site is vulnerable)? That's an important distinction!

Either way, yay for my next game being something I've already downloaded from GoG.

Edit: The guy wrote a little FAQ; 'red' means 'vulnerable'; a 'false green' is therefore reporting that it's secure when it's not - hence why sometimes retries show differing results, and the 'fail' attempt is the definite one.

I figured that was the case. It'd be much easier to get a false safe result than a false positive result.
 
And this is the moment I laugh back at everyone whos been calling me a coward cause I didn't trust the webz and still don't have internet banking
 
Top Bottom