Valve Patches Steam Profiles Phishing Vulnerability

[Exterminator]

Steam fans were warned earlier today that the social pages were unsafe. Thankfully, however, the vulnerability has been patched.

It all started when a group from the Steam subreddit, mostly moderators, expressed concern over a discovered exploit related to Steam profiles which left people vulnerable to attacks. It seems that even looking at your Activity feed could let hackers redirect you to non-Steam sites or to buy Community Market items with the funds in your Wallet.

One redditor wrote that there was a risk involved when viewing or simply opening profile pages of other Steam users, as well as the personal page. This vulnerability was present both on desktop and mobile versions on all browsers, including Steam.

“I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) Steam profile links and disable JavaScript on Browser. Appropriate information has been forward to Valve, and this issue should be resolved soon, sorry for any inconvenience,” wrote user R3TR1X.

High risk for users
With the right entryway, a malicious actor could redirect users to any pages they wanted, including a phishing login page, which would look like a legitimate Steam profile. Funds from Steam Market wallets could also be used to whatever purpose this hacker wanted without even having to get user confirmation.

What happened exactly is that the “My Guides showcase” parsed scripts placed in guides’ Title section. “You could inject code via putting such guides up on your showcase,” the explanation coming from subreddit mod R3TR1X reads.

This seems to have happened before, and Valve ignored the reported vulnerability. Then, the user who reported it, used the way in to mess with the Steam page and make it… “dance” while music was blaring through people’s speakers.

 

[DracusNarcrym]

That was very quick. Good job, Valve.