https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/

Wow, another exploit, how unexpected

Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users (both desktop and mobile versions). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.
Anyone (with knowledge of the exploit) who uses or abuses it FOR ANY REASON will RISK RECEIVING A COMMUNITY BAN. If you find any such profile that you can't report (as in literally cannot use the report button), please PM them to me.
Keep in mind that any discussion on any exploit method is NOT allowed here and will result in a ban without warning. This post is intentionally vague, and will be kept that way due to the nature of this exploit.
And to make it VERY clear: do NOT post profile links on this sub (temporarily), do NOT post proof of concepts (we have the repro steps and passed them on), do NOT post anything relevant that might provide information on how to do this exploit (incl. youtube links). This post is your warning.
TO THOSE POSSIBLY AFFECTED:
Change your Steam Account password, enable Mobile Authenticator if it's not on already (otherwise deauthorize Steam Guard on all systems from settings) then restart your router/change IP. You might want to also consider scanning your system with a malware scanner/anti-virus.


TL;DR

Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN ACTIVITY FEED (both desktop and mobile versions on all browsers).


update:

Valve have disabled Guide Showcases which means noone else can attempt this exploit. Now we just wait for them to clean up the profiles that have already abused this.


update 2:

Steam Profiles are safe to visit now.

Activity Feed might still be affected


update 3:

Fixed

7 years ago*

Comment has been collapsed.

Bump!
I think you should put [PSA] or something like that

7 years ago
Permalink

Comment has been collapsed.

what is psa ?
prostate-specific antigen ?

7 years ago
Permalink

Comment has been collapsed.

"Publice Service Announcement"
http://www.urbandictionary.com/define.php?term=psa

It doesn't have "PSA" in the title before, that's why I'm telling OP to do it.. :3


Other PSA thread on SG

7 years ago
Permalink

Comment has been collapsed.

i googled it but still thx for serious answer :)

7 years ago
Permalink

Comment has been collapsed.

I liked your definition, better. P

7 years ago
Permalink

Comment has been collapsed.

soooo, we need more PSA, and maybe some tits to balance it
will You Support me on this one ?

7 years ago
Permalink

Comment has been collapsed.

Oh, nice to know, for some reason I always though it means Please Stay Alert, which in the end has a similar meaning/effect I guess.

7 years ago
Permalink

Comment has been collapsed.

Ohh - one is learning every day. Thank you.

7 years ago
Permalink

Comment has been collapsed.

Play Station Andromeda

7 years ago
Permalink

Comment has been collapsed.

whitelisted for "prostate-specific antigen" lol

7 years ago
Permalink

Comment has been collapsed.

it stands for please stop answering

7 years ago
Permalink

Comment has been collapsed.

police spanking adults ?
are you a dirty cop ?
are you a bad girl ?

7 years ago
Permalink

Comment has been collapsed.

Oh, I was just about to create similar thread but then noticed this. Good I didn't double it.
Thanks for the info and let's hope this exploit will get fixed very soon...

7 years ago
Permalink

Comment has been collapsed.

Was just about to make this thread. :p
bump

7 years ago
Permalink

Comment has been collapsed.

Bump, it deserves attention

7 years ago
Permalink

Comment has been collapsed.

What the.....! I am amazed.

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 5 years ago.

7 years ago
Permalink

Comment has been collapsed.

This is bananas... =\

7 years ago
Permalink

Comment has been collapsed.

Did you just say... B A N A N A ?

View attached image.
7 years ago
Permalink

Comment has been collapsed.

You asked for it

7 years ago
Permalink

Comment has been collapsed.

Oh, it is on, now. Throws down gauntlet.

7 years ago
Permalink

Comment has been collapsed.

ouch, what is this?
got a friend request right yesterday from an unknown profile and obviously went to check why.
didn't accept and this morning the request was gone :\

7 years ago
Permalink

Comment has been collapsed.

D:

7 years ago
Permalink

Comment has been collapsed.

same here, but the request stayed. Just now declined it. What the fuck, valve.

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 7 years ago.

7 years ago
Permalink

Comment has been collapsed.

I wouldn't count on it.

7 years ago
Permalink

Comment has been collapsed.

I don't think so, if you really need to open a profile at least use a no-script extension

7 years ago
Permalink

Comment has been collapsed.

I don't even get it. o.O Even if you check your own profile on a browser, you may get affected? o.O Or there are some specific malicious links that they'll send you and you'll get affected by clicking on them? Someone explain. :/

7 years ago
Permalink

Comment has been collapsed.

i'm with Shamrock.
those smart CS guys. meh

7 years ago
Permalink

Comment has been collapsed.

I can't understand anything of what they're saying. ;_;

7 years ago
Permalink

Comment has been collapsed.

Of what I understood reading the Reddit thread, it probably redirects you somewhere else when clicking on the profiles.

7 years ago
Permalink

Comment has been collapsed.

So, it redirects you on a fake site, identical to steam? So, you'll only get affected by clicking on a steam link? Not by checking your own steam profile, a friend's steam profile, etc? Only these specific malicious links will affect you?

7 years ago
Permalink

Comment has been collapsed.

You click on a real steam link and it redirects you to an identical website. There are no malicious links (to my understanding, if I am wrong please someone correct me).

7 years ago
Permalink

Comment has been collapsed.

So, it's only about giving your name and password to a fake site? That kind of link?

7 years ago
Permalink

Comment has been collapsed.

So it seems. The problem is that you are on a legit URL and you get redirected by clicking on that legit URL's content. I personally wouldn't suspect a thing, I would think that it is Steam derping once more (as it usually does).

7 years ago
Permalink

Comment has been collapsed.

It's still a really old trick. I mean, giving someone a link of a fake site in order to give his info, is a really old scamming trick. So, I shouldn't be afraid if I didn't click on anything? :/ Because, in the other comments, they're saying otherwise. :(

7 years ago
Permalink

Comment has been collapsed.

Φίλος πρέπει ειλικρινά να μάθεις καλύτερα Αγγλικά, θα σε βοηθήσει. Δεν σου δίνει κανείς κανένα Link. Μπαίνεις στο profile του φίλου σου από τον Browser και αν είναι affected το profile του, αρχίζει και τρέχει ένα Javascript. Το script αυτό σε πάει αυτόματα σε ένα άλλο phishing site που σε ζητάει να κάνεις Login. Το πρόβλημα είναι ότι είσαι στην ΑΥΘΕΝΤΙΚΗ ιστοσελίδα του Steam, και αυτό αυτόματα σε καθοδηγεί σε μια άλλη ψεύτικη.

Πραγματικά ελπίζω να κατάλαβες τώρα.

7 years ago
Permalink

Comment has been collapsed.

Ναι, το κατάλαβα και ξέρω ήδη καλά αγγλικά. Είτε σου δίνουν κάποιοι ένα link ενός affected profile είτε το κοιτάς από μόνος σου και σου κάνει redirect σε fake site. Το κατάλαβα και, αν παρατηρήσεις, το'χω γράψει και στον Sighery. Το θέμα είναι ότι, το να δίνεις τα στοιχεία σου σε ένα fake site, ακόμη και αν γίνεται μέσω ενός legit link, είναι παμπάλαιο scamming κόλπο.

7 years ago
Permalink

Comment has been collapsed.

Το θέμα δεν είναι το ότι δίνεις τα στοιχεία του, αλλά το ότι κάποιος μπόρεσε να κάνει inject javascripts στο Steam profile. Το γεγονός ότι δεν μπορεί να κάνει κάτι άλλο με αυτό (αυτόματα trades κλπ.) είναι λόγο κάποιον περιορισμών του Steam. Το όλο κόλπο δεν είναι ότι σε κάνει redirect σε phishing sites, αλλά το ότι σε κάνει redirect.

Νομίζω παρόμοιο ήταν και εκείνο που σε έκανε redirect σε random Steam account's και μπορούσες να δεις τα στοιχεία τους.

7 years ago
Permalink

Comment has been collapsed.

Λένε ότι μπορεί να αγοράσει από μόνο του και πράγματα από το steam market. Και αν έχω πάθει ήδη αυτήν τη μαλακία, πώς μπορώ να το ξέρω (προφανώς θα το'ξερα ήδη αν είχαν αγοράσει πράγματα από το λογαριασμό μου); Επειδή χρησιμοποιώ το steam από browser ουκ ολίγες φορές.

7 years ago
Permalink

Comment has been collapsed.

Επειδή είσαι ήδη συνδεδεμένος στο Steam από τον browser σου, ναι θεωρητικά θα μπορούσε να αγοράσει από μόνο του (αν σου έκανε inject το script). Ρεαλιστικά μιλώντας, δεν ξέρω κατά πόσο αυτό γίνεται. Θα έλεγα εξαρτάται από τις ικανότητες του coder.

Θα σε συμβούλευα απλά να μην κάνεις browsing και να κάνεις Logout από το Browser σου, για κάθε ενδεχόμενο.

7 years ago*
Permalink

Comment has been collapsed.

Έκανα disconnect το steam από τον browser. Απλά, όπως είπα, πώς μπορώ να ξέρω ότι δε με έχει επηρεάσει; Αν το διορθώσουνε το πρόβλημα, ακόμα και αν είχα επηρεαστεί, θα είμαι πια ασφαλής;

7 years ago
Permalink

Comment has been collapsed.

Επειδή δεν ξέρω πολλά από coding, δεν μπορώ να σου απαντήσω στο πως μπορείς να είσαι σίγουρος ότι δεν επηρεάστηκες. Αν το διορθώσουν, λογικά θα είσαι ασφαλής πια. Αλλά όπως είπα, δεν γνωρίζω.

7 years ago
Permalink

Comment has been collapsed.

Viewing your own profile should be fine from what I get from it.

Just don't go anywhere else. Avoid checking groups as well.

But I guess they're being too vague. They're making it sound like you could even infect a profile yourself, with a comment or so. Or like a game store page with a review. In that case if you have a public comment section not even your profile would be safe.

So unless there is more info about it I would avoid everything. :p

7 years ago
Permalink

Comment has been collapsed.

So, just don't do anything on browser related to steam, only through steam app?

7 years ago
Permalink

Comment has been collapsed.

It depends. I don't know what's wrong atm, but if your comment wall is set to private your profile is probably safe

7 years ago
Permalink

Comment has been collapsed.

Just like everyone, I have my comment wall available only for friends.

7 years ago
Permalink

Comment has been collapsed.

Me too. I hope this is enough or safer

7 years ago
Permalink

Comment has been collapsed.

Some explanation from a comment in the thread:

With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:

Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.

Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.

Manipulate elements on the page as they see fit.

Also

A user can still insert remote CSS to make their profile appear to be something it's not - like a Valve employee profile, or a Mod profile, etc.
7 years ago
Permalink

Comment has been collapsed.

Sooooo? :/ It's just about giving your info on a fake site identical to steam?

7 years ago
Permalink

Comment has been collapsed.

No, also scripting it sounds like. So they insert javascript code in the page that you're viewing, and it acts like you in the browser to do stuff in the market, like buying items.

7 years ago
Permalink

Comment has been collapsed.

Oh, so even if you don't give your info, it's enough to get affected? :O Damn. :(

7 years ago
Permalink

Comment has been collapsed.

As far as i know, if you have opened one infected tab, and you open, lets say bank account website in other tab and login, you can read login in password from other tabs... Javascript blocker for life.

7 years ago
Permalink

Comment has been collapsed.

NO.
What this is about is calling URLs from a Tab in the same domain. means from steamcommunity.com/profile/XXX you can call steamcommunity.com/market/buyOverpricedItem and for steam its the same as if you would have bought the item yourself.
You can NOT influence or read other tabs (only if both are manipulated) and you can not do Cross-Domain stuff (not calling store.steampowered from steamcommunity).

7 years ago
Permalink

Comment has been collapsed.

I've just installed to see what this no script blocker thing was for and it looked like in the picture. Nothing new, my phone was always blocking those and now I'm in a pc browser which websites don't work properly in it. Don't know how to set up it though.

View attached image.
7 years ago
Permalink

Comment has been collapsed.

You should have white bar at bottom. You press setttings and something like "dont block steamgifts.com"

You can do the same for domains you feel secure.

On other hand you will see how many websites use scripts from external domains...

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

7 years ago
Permalink

Comment has been collapsed.

Mr. Cat here explained it perfectly.

7 years ago
Permalink

Comment has been collapsed.

So, it doesn't matter if I click on a link? The problem is when I check steam profiles with implemented javascript codes? So, nothing will happen if I check out "healthy" steam profiles or groups and, especially, nothing will happen if steam on browser won't ask me my name and password? I mean, this trick only works to get your info by joining a fake site identical to steam and giving them your name and password? And it only works on browsers?

7 years ago
Permalink

Comment has been collapsed.

You'll never know if a profile is healthy and no, it's not only the fake site thing (that's called phishing)
it could modify what do you see, like adding a legit "steam member" badge on a random user, or buy something on the market

7 years ago
Permalink

Comment has been collapsed.

And the last thing is the mosty scary. o.O Damn, I hope I didn't get harmed. ;_;

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

7 years ago*
Permalink

Comment has been collapsed.

I read everything and I can understand now, but if I can't assume that any profile is healthy, then how can I know that I'm not affected already, since I'm usually using steam on browser?
EDIT: I read your edit. This only works when having a browser window (with steam obviously) open or no matter what (as long as you visited an affected profile at some point obviously)?

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

7 years ago
Permalink

Comment has been collapsed.

Btw, a guy added me yesterday, telling me to avoid a guy named (can't say the name here) because he scammed him. I checked him out on my steam APP (not from browser), by searching his name on steam community. Then, I copied-pasted his profile link on steamrep and saw that he is already banned there, so I told the other guy he's already marked as a scammer. Then he told me he didn't know it, he wrote me a troll text that he had in his steam description, then deleted me. Should I be worried? You can't possibly know if he wanted to affect my profile, but did I do anything that would put me in harm's way? And finally, when this thing get fixed, even if I got affected, should I still be worried? I disconnected steam from my browser, btw. These are my final questions, so don't hate me. :B Thanks a lot for your help.

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

7 years ago
Permalink

Comment has been collapsed.

Of course you can't know that - I only asked if there's a possibility that this happened. Anyway, thanks a lot. Have a nice day. ;)

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

7 years ago
Permalink

Comment has been collapsed.

I love you. <3.

7 years ago
Permalink

Comment has been collapsed.

This exploit happens in activity feed too, so it may be a good idea to not open the activity feed until this is fixed.

7 years ago
Permalink

Comment has been collapsed.

bumperino!

7 years ago
Permalink

Comment has been collapsed.

update:

Valve have disabled Guide Showcases which means noone else can attempt this exploit. Now we just wait for them to clean up the profiles that have already abused this.

7 years ago
Permalink

Comment has been collapsed.

added to op

7 years ago
Permalink

Comment has been collapsed.

Not yet. At least the existing guide showcases are still there for now.

7 years ago
Permalink

Comment has been collapsed.

existing guide showcases are still there

that's what it states

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 10 months ago.

7 years ago
Permalink

Comment has been collapsed.

you can always stalk me ;)

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 10 months ago.

7 years ago
Permalink

Comment has been collapsed.

I'm going to report you to Interpol for home privacy invasion

7 years ago
Permalink

Comment has been collapsed.

View attached image.
7 years ago
Permalink

Comment has been collapsed.

Alf!
Thank you for the memories.

7 years ago
Permalink

Comment has been collapsed.

Thank God for this then.

7 years ago
Permalink

Comment has been collapsed.

Ouch make me feel worried... :/
Anyway thank you for the info

7 years ago
Permalink

Comment has been collapsed.

Yeah how the bloody hell you can be sure you are not infected? :/

7 years ago
Permalink

Comment has been collapsed.

Yep
Steam will put an end to it and quickly i hope.

7 years ago
Permalink

Comment has been collapsed.

Change your password and stay away from the steam community and you should be fine. I almost got fucked over already by someone my boyfriend knows >.>

7 years ago
Permalink

Comment has been collapsed.

But but i want to annoy my steam friends. :x
You know like give them 10 notifications. :p

7 years ago
Permalink

Comment has been collapsed.

You can still annoy them, just dont visit any page.

I have 6 unread messages so I will assume that was you :P Gonna read it when I am home in an hour ;)

7 years ago
Permalink

Comment has been collapsed.

Nope not me. ;)

7 years ago
Permalink

Comment has been collapsed.

After yesterday I dont believe you for a second ;)

7 years ago
Permalink

Comment has been collapsed.

OH it was actually not you. Woooops

7 years ago
Permalink

Comment has been collapsed.

Like boy who cried wolf, noone would believe either when i was in danger. :o

7 years ago
Permalink

Comment has been collapsed.

Would a logout from the Browser help? They can't take any actions on an account if there is no account in the first place, can they?

7 years ago*
Permalink

Comment has been collapsed.

Correct, but can still open other phishing sites etc.

7 years ago
Permalink

Comment has been collapsed.

1 thing at a time. I can't have solutions for everything :D

Actually, don't visit any Steam profiles. BUM, problem solved!

7 years ago
Permalink

Comment has been collapsed.

You can't buy without an account, so obviously yes

7 years ago
Permalink

Comment has been collapsed.

-1 problem then :D

7 years ago
Permalink

Comment has been collapsed.

it's still safe to use any steamrelated addon on firefox/chrome? (things like enhanced steam)

7 years ago
Permalink

Comment has been collapsed.

si, sono indipendenti

7 years ago
Permalink

Comment has been collapsed.

+rep for being so pizza

7 years ago
Permalink

Comment has been collapsed.

macaroni tarantella ♥

7 years ago
Permalink

Comment has been collapsed.

BUMP. Just posted it in 3 my country facebook groups. I want people to be safe.

7 years ago
Permalink

Comment has been collapsed.

rip

7 years ago
Permalink

Comment has been collapsed.

bump

7 years ago
Permalink

Comment has been collapsed.

Meh, okay. What am I going to lose with that script? I assume they will fully reimburse all the loses if that script hits me, cause it's completely 100% their fault with holes in their security.

🤦‍♀️

7 years ago
Permalink

Comment has been collapsed.

Don't be so sure.

7 years ago
Permalink

Comment has been collapsed.

Has anyone been affected

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 1 year ago.

7 years ago
Permalink

Comment has been collapsed.

wtf

7 years ago
Permalink

Comment has been collapsed.

Another reason why we should have nuked javascript from the face of the Earth ages ago.

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

7 years ago
Permalink

Comment has been collapsed.

Yes, Python in the browser seems a lot safer 😀🙃👀

7 years ago
Permalink

Comment has been collapsed.

CVE ID?

7 years ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.