Groups

    Steam users warned after profile exploit discovered

    Editor
    http://bestseoideas.com/wp-content/uploads/2014/06/SteamBanner1.jpg

    I won't use the 'XXS marks the spot' line that EG did, but I will allow them to fill you in better

    Steam users have today been warned to be careful browsing Steam - an XSS exploit has been discovered which could threaten your account's security.

    The issue's existence was made public by a mod on Steam's official Reddit, and Steamdb has also confirmed the exploit to be worth taking note of - at least until Valve wakes up and fixes it.

    Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.

    The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.

    Anyone who thinks they may have been affected should change their password, enable a mobile authenticator - and scan their system for malware.


    [Credit: Eurogamer]

    6 Comments

    So in simple terms?

    Original Poster Editor

    Rid1

    So in simple terms?



    Well I think it's there, but here you go

    Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.

    The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.

    BuzzDuraband

    Well I think it's there, but here you go :)Steam users are warned to be … Well I think it's there, but here you go :)Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.


    In my current state of mind, i'm struggling to even understand that! I guess if you have steam mobile aunthentication it should be fine?

    Original Poster Editor

    Rid1

    In my current state of mind, i'm struggling to even understand that! I … In my current state of mind, i'm struggling to even understand that! I guess if you have steam mobile aunthentication it should be fine?



    This link may be a better read mate.

    There's a big thread here and a useful post at the top:

    reddit.com/r/S…826

    I'm a web developer, and have investigated and created proofs of concept … I'm a web developer, and have investigated and created proofs of concept for this exploit.With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.Manipulate elements on the page as they see fit.PLEASE Ensure that you are triple-checking the website URL before doing anything with your sensitive information.Go into your Steam Settings and enable "Display Steam URL Address Bar When Available", and triple-check. Also try to avoid viewing profiles of anybody you're unfamiliar with.I've forwarded my proofs of concept to Valve Security and they should be actioning this very rapidly.



    The way I read it is that a dodgy person can put some dodgy code on their Steam information so if you then view their profile page, that dodgy code runs and makes it look like Steam is asking you to login or does something with your Steam profile.

    Having the Steam authenticator on should protect you against this, you obviously shouldn't be putting in your login details and if someone illegally tries to use your funds then the authenticator step should stop them.

    John

    Basically they add to there profile and when you visit they hijack yours. If you have the steam authenticator then you should be fine.

    I'd avoid visiting friends profiles too till it's fixed as if they are hijacking people then it's not hard to add to the hijacked profile and spread it across everyone
    Post a comment
    Avatar
    @
      Text
      Top Discussions
      1. Win 1 of 3 x £1000 Selfridges vouchers with Virgin Trains98
      2. Win a safari adventure & claim a free Chicago Town pizza coupon33
      3. Win a Free minion usb stick88
      4. Win a pair of running shoes up to the value of £100 with UKRunChat99

      See more discussions