Steam, the online gaming platform and community from Valve, seems to have fixed a security issue today that allowed anyone to easily get information about games played, achievements, and stats from a private profile.
Kyle Orland of Ars Technica reports that he found the hole while poking around his own Steam profile. He found that you could manipulate the HTML address to unearth a number of different “private” pages associated with his profile, as well as find games he’d played in the page’s source code. According to Orland, he was able to “independently confirm” that this did not just affect his profile but others as well.
People in general should be concerned about these kinds of privacy snafus — not just gamers. Like most things on the Internet, what you believe to be personal or shared just with friends often appears in unexpected places. Thankfully, the information exposed in Steam’s case didn’t include highly sensitive data such as credit card numbers or home addresses. But it’s likely just as annoying as having a Facebook photo leaked.
Orland first tried to find a private user’s (which happened to be his own profile) list of games played by typing in “/games/?tab=all” after the profile’s URL. That didn’t work and instead brought him back to the private profile page. So he inspected the source code associated with the page, and there, in plain text, was the list he’d been looking for.
After identifying the games, he played with the HTML a little more, choosing to search for achievements in the game Portal 2. He added “stats/Portal2/?tab=achievements” to the end of the URL and was immediately taken to the Portal 2 achievements page associated with that profile.
Using the same method, he found the player’s stats for specific games, as well as badges. Orland noted that an observant snooper could find the times that person was playing a game, if their profile was connected to Facebook, and when the profile was created.
As is courteous and traditional, Orland reported the hole to Steam before going public with his information. The holes have seemingly been fixed, but Valve has not responded to the bug report.