thedamngod Posted February 7, 2017 Share Posted February 7, 2017 UPDATE: Everything seems fixed Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience. TO THOSE POSSIBLY AFFECTED: Change your Steam Account password, enable Mobile Authenticator if it's not on already (otherwise deauthorize other computers on Steam Guard on all systems from settings) then restart your modem/change IP. You might want to also consider scanning your system with a malware scanner/anti-virus. This is copied from the following thread on reddit: Please don't click any Steam profile links you find on this forum, or anywhere else, until Valve has fixed the issue! It's for the safety of your account. I will try to update here if there is new information. If any of you know more earlier, feel free to reply with a source here. Link to comment Share on other sites More sharing options...
thedamngod Posted February 7, 2017 Author Share Posted February 7, 2017 From a reply of a mod on the linked reddit post, emphasis mine: I'm a web developer, and have investigated and created proofs of concept for this exploit. With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile: Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal. Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session. Manipulate elements on the page as they see fit. PLEASE Ensure that you are triple-checking the website URL before doing anything with your sensitive information. Go into your Steam Settings and enable "Display Steam URL Address Bar When Available", and triple-check. Also try to avoid viewing profiles of anybody you're unfamiliar with. I've forwarded my proofs of concept to Valve Security and they should be actioning this very rapidly. Link to comment Share on other sites More sharing options...
Scytales Posted February 7, 2017 Share Posted February 7, 2017 This is scary. :'( Thank you for the heads up. Link to comment Share on other sites More sharing options...
thedamngod Posted February 7, 2017 Author Share Posted February 7, 2017 It appears that profiles have been fixed, but the Activity feed is still vulnerable. You should therefore NOT use it again right now. All fixed now. Link to comment Share on other sites More sharing options...
Recommended Posts