A reddit user has stumbled upon an issue that allows anyone access to a Steam account’s email preferences through Google search, which also displays the email. Anyone can then change those email preferences for that user. Others have reported this as an exploit; however, this is apparently limited to one user and, seemingly, not something that can be reproduced for other accounts.
Essentially, it seems that Google has indexed this specific user’s email preferences page, which contains the token assigned to their account. A token is just a string of characters that is placed in an URL to authenticate a user’s session for a particular page. If someone has your string of characters, they could paste it in their own URL to access whatever page is being secured by the use of a token. For those worried about their security, the token used here is over fifty characters long, so the chances of randomly changing letters or numbers to find other accounts is extremely low. Attempting to randomly guess it is no different than randomly attempting to brute force a 50 character computer-generated password
The reddit post has some ideas of exactly why the problem exists, but there is no concrete answer. Right now, it seems that Google has indexed this specific user’s email preferences page as the link they are using to get to Steam’s general email preferences page. If so, that seems to be some sort of problem with Google.
However, why exactly did Google save that specific data instead of the general page for everyone and why was it something they could access? So far, as noted previously, this issue seems limited to one user, but we’re uncertain if more information on Steam is available through Google. We have reached out to both Google and Valve for comment and clarity on the issue, and will update as soon as we find out more.
There’s no telling whether this is something that’s at issue from Steam or Google’s end at this point. If and when we receive any update from Valve or Google, we will be updating this article.
Right now this is not a huge deal as it seems limited to one user. However, why this is a problem at all is what I’d like to see an answer to. We don’t know if this is isolated or not either, or what caused the problem at all. Right now the problem still exists, almost 24 hours later, and hopefully we’ll get something from either Valve or Google.