Steam users warned after profile exploit discovered - HotUKDeals
We use cookie files to improve site functionality and personalisation. By continuing to use HotUKDeals, you accept our cookie and privacy policy.
Get the HotUKDeals app free at Google Play

Search Error

An error occurred when searching, please try again!

Login / Sign UpSubmit

Steam users warned after profile exploit discovered

£0.00 @ Steam
I won't use the 'XXS marks the spot' line that EG did, but I will allow them to fill you in better :) Steam users have today been warned to be careful browsing Steam - an XSS exploit has been disco… Read More
BuzzDuraband Avatar
5m, 2w agoPosted 5 months, 2 weeks ago
http://bestseoideas.com/wp-content/uploads/2014/06/SteamBanner1.jpg

I won't use the 'XXS marks the spot' line that EG did, but I will allow them to fill you in better :)

Steam users have today been warned to be careful browsing Steam - an XSS exploit has been discovered which could threaten your account's security.

The issue's existence was made public by a mod on Steam's official Reddit, and Steamdb has also confirmed the exploit to be worth taking note of - at least until Valve wakes up and fixes it.

Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.

The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.

Anyone who thinks they may have been affected should change their password, enable a mobile authenticator - and scan their system for malware.


[Credit: Eurogamer]
Tags:
Other Links From Steam:
BuzzDuraband Avatar
5m, 2w agoPosted 5 months, 2 weeks ago
Options

All Comments

(6) Jump to unreadPost a comment
Comments/page:
#1
So in simple terms?
[HUKD Deal Editor]#2
Rid1
So in simple terms?

Well I think it's there, but here you go :)

Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.

The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.
#3
BuzzDuraband
Rid1
So in simple terms?
Well I think it's there, but here you go :)Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.
The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.
In my current state of mind, i'm struggling to even understand that! I guess if you have steam mobile aunthentication it should be fine?
[HUKD Deal Editor]#4
Rid1
BuzzDuraband
Rid1
So in simple terms?
Well I think it's there, but here you go :)Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.
The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.
In my current state of mind, i'm struggling to even understand that! I guess if you have steam mobile aunthentication it should be fine?

This link may be a better read mate.
#5
There's a big thread here and a useful post at the top:

https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/?st=iyvpvini&sh=b1b43826

I'm a web developer, and have investigated and created proofs of concept for this exploit.

With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:

Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.

Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.

Manipulate elements on the page as they see fit.

PLEASE Ensure that you are triple-checking the website URL before doing anything with your sensitive information.

Go into your Steam Settings and enable "Display Steam URL Address Bar When Available", and triple-check. Also try to avoid viewing profiles of anybody you're unfamiliar with.

I've forwarded my proofs of concept to Valve Security and they should be actioning this very rapidly.

The way I read it is that a dodgy person can put some dodgy code on their Steam information so if you then view their profile page, that dodgy code runs and makes it look like Steam is asking you to login or does something with your Steam profile.

Having the Steam authenticator on should protect you against this, you obviously shouldn't be putting in your login details and if someone illegally tries to use your funds then the authenticator step should stop them.

John
#6
Basically they add to there profile and when you visit they hijack yours. If you have the steam authenticator then you should be fine.

I'd avoid visiting friends profiles too till it's fixed as if they are hijacking people then it's not hard to add to the hijacked profile and spread it across everyone

Post a Comment

You don't need an account to leave a comment. Just enter your email address. We'll keep it private.

...OR log in with your social account

...OR comment using your social account

Thanks for your comment! Keep it up!
We just need to have a quick look and it will be live soon.
The community is happy to hear your opinion! Keep contributing!