An exploit in the Steam profiles has been discovered putting users at risk of phishing through malicious script execution.
The scripts can be executed when viewing your own profile page or activity feed and impacts all browsers and even mobile. The advice is not to click links and it’s probably better you keep off them completely until the problem is resolved.
If you think you’ve been caught out by this make sure you run a scan on your PC to check and change passwords.
A post on Reddit explains what this exploit does:
- Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page.
- Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn’t even need to confirm anything as you’re on a valid login session.
- Manipulate elements on the page as they see fit.
The advice is to change the settings “Display Steam URL Address Bar When Available” and check any URLS and stay off profiles of anyone you do not know.
As soon as this has been fixed we’ll let you know.
Update: The exploit has now been fixed and information of how it worked has also been posted. Note, the activity feed has still not been fixed so keep away from that.
Method of the Exploit:
The “My Guides showcase” (multi-guide showcase) parsed scripts placed in guides’ Title section. You could inject code via putting such guides up on your showcase. Favorite Guide was NOT vulnerable, only multi-guide showcase was. Repro:
1) Your profile must be at least Level 10 (to access My Guide Showcase)
2) Create a Guide and put your script/payload in Title (-> Enter the title for your guide)
3) Publish the Guide & Feature it on your profile Guide Showcase
Update 2: Everything has now been fixed. You are good to go.