All Discussions > Steam Forums > Help and Tips > Topic Details
Zurkster 31 Jul @ 5:53am
I discovered a seious security vulnerability in the Steam android app!
I went login in just now on the mobile app and had to verify the login attempt with a steam QR code, however I simply stepped back off that notification screen without scanning a QR code and was shocked to discover I had full access to my Steam account. That inspires confidence.... NOT!! 🤨
Last edited by Zurkster; 31 Jul @ 5:55am
< >
Showing 1-6 of 6 comments
Paulie Walnuts 31 Jul @ 6:03am 
Have you logged in on that device before? most likely the app still had a valid session token and the session was still active. I'm a back-end developer and that's my first logical assumption.
#1
RPG Gamer Man 31 Jul @ 9:50am 
Originally posted by Paulie Walnuts:
Have you logged in on that device before? most likely the app still had a valid session token and the session was still active. I'm a back-end developer and that's my first logical assumption.

This. It saves old password and tokins to certain websites, especially if you click that box that says "save my info so i don't have to login" on the account. As Paulie Walnuts says, it saves the info on your device.
#2
Zurkster 31 Jul @ 10:08am 
Originally posted by RPG Gamer Man:
Originally posted by Paulie Walnuts:
Have you logged in on that device before? most likely the app still had a valid session token and the session was still active. I'm a back-end developer and that's my first logical assumption.

This. It saves old password and tokins to certain websites, especially if you click that box that says "save my info so i don't have to login" on the account. As Paulie Walnuts says, it saves the info on your device.

As title suggested it was the android steam app at fault, not visited via a browser. I was not previously signed into my account having just installed the app, I logged into the app and was presented after initially logging in with separate QR code check screen overlay. But as I also previously mentioned, I simply hit the back button and was fully logged in to my steam account via the freshly installed app. Go figure! 🤨😏
Last edited by Zurkster; 31 Jul @ 10:09am
#3
nullable 31 Jul @ 11:19am 
You able to reproduce that behavior? Because while you might be pretty sure, willing to bet money. People can make mistakes. If the bug exists as you believe it does, you should be able to recreate it. If not, there might be another explanation.
#4
RPG Gamer Man 31 Jul @ 11:23am 
Originally posted by nullable:
You able to reproduce that behavior? Because while you might be pretty sure, willing to bet money. People can make mistakes. If the bug exists as you believe it does, you should be able to recreate it. If not, there might be another explanation.

Yes, if you can recreate it, give your findings to steam. They may even give you money for finding such a fault in their phone app. Some companies pay people when they find major issues with their software. Not sure if steam/valve does this, but it cannot hurt to try to ask them.
Last edited by RPG Gamer Man; 31 Jul @ 11:40am
#5
Zurkster 1 Aug @ 10:32am 
In order to reproduce the circumstances, I would require a fresh installation of Steam app on a clean android device and log into steam anew. Only then would I be accurately recreating the conditions of the fault that I first witnessed. Neither are practical just to prove a point, although I agree it is a potential security vulnerability that warrants some investigation. Otherwise why would I have even I bothered reporting the incident in the first place.
#6
< >
Showing 1-6 of 6 comments
Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details
Date Posted: 31 Jul @ 5:53am
Posts: 6
Start a New Discussion

Discussions Rules and Guidelines