Could you clarify the "do not click steam profile links" part?
Are you referring to the button on SG profiles, or url's in comments?
Comment has been collapsed.
I mean, do not visit any Steam profiles whatsoever. Steamgifts site is not affected. But any links that lead to a steam profile, are unsafe at the current moment in time.
Comment has been collapsed.
That sounds huge, got any source for that preferably from valve, or is this something currently being discussed on social media without any public statement from valve?
Comment has been collapsed.
Valve not discussing this is what has led to it being exposed, by a developer, in an attempt to getting it fixed. However, they're fucking idiots for doing it, because now anyone can do it.
The best source other than myself for this information right now, is steamDB's twitter, over here. https://twitter.com/SteamDB/status/574256881721548800
Comment has been collapsed.
Thanks a lot for the heads up, seems traders have to be extra careful since it is mentioned there that theoretically trade offers could be sent as well.
Comment has been collapsed.
Yes. It's also worth noting that after this glitch ends, check REP on all traders, specifically dates, since this can be used to flood profile comments of any visitor, possible garnering fake reps from reputable accounts.
Comment has been collapsed.
Do you mean the exploit can be used to make false feedback on SteamTrades ? Or just feedback on Steam profiles ?
Because I'm pretty sure no one takes Steam profiles rep seriously.
Comment has been collapsed.
Only on Steam Profiles. And some people still check that.
Comment has been collapsed.
Except that this isn't anything like a scam link.
You should maybe read the opening posts. Just saying.
Comment has been collapsed.
oh come on those guys how create this bullshits dont they have something good to do....
Comment has been collapsed.
You mean real Steam profile links, or phishing links that look like Steam profile links?....because these are different things. And from where you get this info?
Comment has been collapsed.
I mean real Steam profile links. And this includes in client, as well as in browser.
I got this information first hand, a developer exploited it to expose it, in an attempt to get it fixed by Valve quicker. Unfortunately, by making the exploit public, anyone can do it now.
Another source other than myself is SteamDB https://twitter.com/SteamDB/status/574256881721548800
Comment has been collapsed.
Seems like it's an XSS exploit which could lead to dangerous things.
Comment has been collapsed.
It's only happening if you click on Steam profiles, not profiles on SG.
Comment has been collapsed.
GG Volvo, now we wait for that developer who wanted to help get banned, since valve is crappy and useless as ever. And silent ofc, no need to mention
Comment has been collapsed.
It's only link to profile, right? I can still check my inventory and badges and etc..?
Comment has been collapsed.
Only profiles are currently affected, as far as we can tell.
Comment has been collapsed.
Gifting does not have that additional confirmation step, so any inventory gifts could potentially be at risk as well. As well as this, many users turned off the email trade verification due to it being annoying.
Comment has been collapsed.
So to clarify, if you visit a profile where someone has intentionally used this exploit, it can effect you. So visiting your own profile or that of a trustworthy friend should be ok?
Comment has been collapsed.
we all know which profile is not safe . . x. . a. . . ..
Comment has been collapsed.
Potentially, but I would not risk it. It seems that the exploit could potentially edit profiles without the user's consent, so might propagate itself. Also, it's not entirely certain, but it might be possible to add the exploit by commenting on a profile as well, rather than just having it on the profile.
Comment has been collapsed.
I changed my settings from only friends can comment to only I can comment on my profile. This way I assume my profile stays save (until I visit an evil profile that infects me) and I can at least visit my own profile page.
Comment has been collapsed.
Does that include my own profile? What about if I visit a profile from the friends list? Does that mean that every profile presents a vulnerability, or only profiles that are exploiting this vulnerability?
Comment has been collapsed.
Just replied to Bobo with similar, but until it is fixed, treat every profile as a potential malicious one, since it could theoretically edit people's profiles without their consent.
Comment has been collapsed.
I'm confused now: I've to treat my own profile as a malicious one?
Comment has been collapsed.
Potentially, yes. I've not heard of anyone doing it yet, but the possibility exists.
Comment has been collapsed.
So how are we supposed to know if someone/something is messing up my profile if I can't even access it? That's a fucked up security breach, if true.
Comment has been collapsed.
Wait until it gets fixed, then check, nothing else we can do unfortunately.
Comment has been collapsed.
Is this even discussed anywhere? Where can I check the progress of this "fix"?
Comment has been collapsed.
Unfortunately, Steam are notoriously bad at communication regarding these things. I suggest following the @SteamDB twitter account for information, they're pretty much my go to. They're a third-party, but they're pretty good.
Comment has been collapsed.
I've checked quite a few profiles in the past hour, including my own after finding this thread, what should I expect if I will be affected? Does this vulnerability take effect the moment you visit an exploited profile or what exactly?
Comment has been collapsed.
Most of the exploits done with this so far were very high visibility, in the sense that if you were affected, you'd know. If you didn't see anything, you should be fine. But other than that, there is potentially no way to know.
Comment has been collapsed.
Damn. O_o Thanks for the heads up indeed... now let's hope Valve will fix that real quick.
Comment has been collapsed.
I was wondering why I got 2 invites today of people linking me the community. Good I deleted them without clicking the link.
Comment has been collapsed.
Thanks for the heads up. I managed to dodge this bullet, but others that I know have been hit by it. P
I assume there's already a thread about this in the Steam forum?
Comment has been collapsed.
I haven't checked myself, but it does appear that Valve is aware of the glitch.
Comment has been collapsed.
I've been trying to find something on the Steam forum, but I haven't been able to locate anything regarding this.
Comment has been collapsed.
Good luck. Anytime there is an issue with Steam itself, the mods cover it up very quickly.
Comment has been collapsed.
So if I go to someone's SG profile and then I click to see his Steam profile, am I in danger ?
Comment has been collapsed.
What about accepting friend invites? Can it compromise security?
Comment has been collapsed.
In the past 2hours I've visited around 20 steam profiles(my friends)... >_> I quess I'm fu*ked? Anyway thanks for the heads-up :)
Comment has been collapsed.
You should be fine, most of the current exploits based on it were high-visibility, and very obvious if they affected you.
Comment has been collapsed.
based on last fixes from steam that prevent account hacking, we won't have any longer steam profiles
Comment has been collapsed.
^same thing wanted to ask as JasmineMcCoy, and when blocking scam bots, if you click their profile in Steam client, can it affect you? I clicked one few hours ago, but I don't see any changes, nothing happened so far, it was a CSGO scam bot profile.
Comment has been collapsed.
Blocking directly from friend invites should be safe. Do not visit their profile, just in case.
Comment has been collapsed.
Yes, it works in client & browser alike.
It isn't in the wild yet. There was one profile that had sample, but that's it. (It's down now).
It posted simple comment, so it not exactly unsafe.
Comment has been collapsed.
It is in the wild. Once the "sample" was posted, people started copying it.
Comment has been collapsed.
Just a major heads up, but there's a huge security flaw that was just exposed, allowing people to execute code on profiles. So far I've only seen one profile that can do this, but it can comment for you, it can load iframes, and it can play youtube videos. It will fuck up your notifications.DO NOT LINK THESE PROFILES IN THE FORUMS, IN CHAT, OR ANYWHERE.
Issue has been fixed. Profiles are now safe again.
Comment has been collapsed.