On 3rd January we have received information about vulnerability on IsThereAnyDeal.
The vulnerability allowed attacker to spoof login via Steam and access any account that was using Steam Single Sign-on on IsThereAnyDeal.
It was fixed 20 minutes since we received the information about the vulnerability.
Attacker could be able to access only your IsThereAnyDeal account, your Steam account could not be affected by this vulnerability!
We have no evidence that any of your accounts were accessed this way, we believe only admin accounts were targeted.
Although the issue is fixed, if you would like to switch from Steam Single Sign-On to email and password login,
you can do that at any time in your settings.
I am very sorry about this and we will do everything in our power to prevent any other future vulnerability.
We had a bug in a code that handles Steam login. We were not checking the response of Steam ID properly, which allowed attackers to spoof the response via their own implementation of OpenId server.
How long was this state?
Unfortunately, the bug was found in a very old code that was handling Steam login. We have no evidence this was ever found or used by anyone else until now.
Who is affected?
Any account that used Steam to log in could have been affected. New accounts could have been created this way too, basically like registering a new account.
You are not affected if you use email and password combination. Your password is stored encrypted and this vulnerability could not access it.
Even so, if you want to be sure you can change it in your settings.
What was accessible?
The attacker could have accessed ONLY IsThereAnyDeal accounts. It could NOT be used on your Steam account. All your IsThereAnyDeal data could have been potentially accessed, same as if you yourself are logged in.
What did we do?
We have fixed the the verification of identity returned from OpenId server.
What you need to do?
You don't have to do anything. You can switch to email and password combination and unlink your Steam account (your profile syncs won't be affected, since those are using public data). You can do that in your settings.
If you want to delete your account, you can do that here.
What will happen to avoid this in the future?
We will look in more detail at our OpenId login implementation, consider using different libraries and explore ways to implement 2 factor authorization.
If you have any more questions, don't hesitate to contact us at email@example.com
— Tomáš Fedor
Last update 2021-01-07 21:29 CET