"Publice Service Announcement"
http://www.urbandictionary.com/define.php?term=psa
It doesn't have "PSA" in the title before, that's why I'm telling OP to do it.. :3
Other PSA thread on SG
Comment has been collapsed.
Oh, I was just about to create similar thread but then noticed this. Good I didn't double it.
Thanks for the info and let's hope this exploit will get fixed very soon...
Comment has been collapsed.
Comment has been collapsed.
I don't think so, if you really need to open a profile at least use a no-script extension
Comment has been collapsed.
I don't even get it. o.O Even if you check your own profile on a browser, you may get affected? o.O Or there are some specific malicious links that they'll send you and you'll get affected by clicking on them? Someone explain. :/
Comment has been collapsed.
I can't understand anything of what they're saying. ;_;
Comment has been collapsed.
So, it redirects you on a fake site, identical to steam? So, you'll only get affected by clicking on a steam link? Not by checking your own steam profile, a friend's steam profile, etc? Only these specific malicious links will affect you?
Comment has been collapsed.
So, it's only about giving your name and password to a fake site? That kind of link?
Comment has been collapsed.
It's still a really old trick. I mean, giving someone a link of a fake site in order to give his info, is a really old scamming trick. So, I shouldn't be afraid if I didn't click on anything? :/ Because, in the other comments, they're saying otherwise. :(
Comment has been collapsed.
Φίλος πρέπει ειλικρινά να μάθεις καλύτερα Αγγλικά, θα σε βοηθήσει. Δεν σου δίνει κανείς κανένα Link. Μπαίνεις στο profile του φίλου σου από τον Browser και αν είναι affected το profile του, αρχίζει και τρέχει ένα Javascript. Το script αυτό σε πάει αυτόματα σε ένα άλλο phishing site που σε ζητάει να κάνεις Login. Το πρόβλημα είναι ότι είσαι στην ΑΥΘΕΝΤΙΚΗ ιστοσελίδα του Steam, και αυτό αυτόματα σε καθοδηγεί σε μια άλλη ψεύτικη.
Πραγματικά ελπίζω να κατάλαβες τώρα.
Comment has been collapsed.
Ναι, το κατάλαβα και ξέρω ήδη καλά αγγλικά. Είτε σου δίνουν κάποιοι ένα link ενός affected profile είτε το κοιτάς από μόνος σου και σου κάνει redirect σε fake site. Το κατάλαβα και, αν παρατηρήσεις, το'χω γράψει και στον Sighery. Το θέμα είναι ότι, το να δίνεις τα στοιχεία σου σε ένα fake site, ακόμη και αν γίνεται μέσω ενός legit link, είναι παμπάλαιο scamming κόλπο.
Comment has been collapsed.
Το θέμα δεν είναι το ότι δίνεις τα στοιχεία του, αλλά το ότι κάποιος μπόρεσε να κάνει inject javascripts στο Steam profile. Το γεγονός ότι δεν μπορεί να κάνει κάτι άλλο με αυτό (αυτόματα trades κλπ.) είναι λόγο κάποιον περιορισμών του Steam. Το όλο κόλπο δεν είναι ότι σε κάνει redirect σε phishing sites, αλλά το ότι σε κάνει redirect.
Νομίζω παρόμοιο ήταν και εκείνο που σε έκανε redirect σε random Steam account's και μπορούσες να δεις τα στοιχεία τους.
Comment has been collapsed.
Λένε ότι μπορεί να αγοράσει από μόνο του και πράγματα από το steam market. Και αν έχω πάθει ήδη αυτήν τη μαλακία, πώς μπορώ να το ξέρω (προφανώς θα το'ξερα ήδη αν είχαν αγοράσει πράγματα από το λογαριασμό μου); Επειδή χρησιμοποιώ το steam από browser ουκ ολίγες φορές.
Comment has been collapsed.
Επειδή είσαι ήδη συνδεδεμένος στο Steam από τον browser σου, ναι θεωρητικά θα μπορούσε να αγοράσει από μόνο του (αν σου έκανε inject το script). Ρεαλιστικά μιλώντας, δεν ξέρω κατά πόσο αυτό γίνεται. Θα έλεγα εξαρτάται από τις ικανότητες του coder.
Θα σε συμβούλευα απλά να μην κάνεις browsing και να κάνεις Logout από το Browser σου, για κάθε ενδεχόμενο.
Comment has been collapsed.
Έκανα disconnect το steam από τον browser. Απλά, όπως είπα, πώς μπορώ να ξέρω ότι δε με έχει επηρεάσει; Αν το διορθώσουνε το πρόβλημα, ακόμα και αν είχα επηρεαστεί, θα είμαι πια ασφαλής;
Comment has been collapsed.
Viewing your own profile should be fine from what I get from it.
Just don't go anywhere else. Avoid checking groups as well.
But I guess they're being too vague. They're making it sound like you could even infect a profile yourself, with a comment or so. Or like a game store page with a review. In that case if you have a public comment section not even your profile would be safe.
So unless there is more info about it I would avoid everything. :p
Comment has been collapsed.
So, just don't do anything on browser related to steam, only through steam app?
Comment has been collapsed.
It depends. I don't know what's wrong atm, but if your comment wall is set to private your profile is probably safe
Comment has been collapsed.
Just like everyone, I have my comment wall available only for friends.
Comment has been collapsed.
Some explanation from a comment in the thread:
With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:
Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.
Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.
Manipulate elements on the page as they see fit.
Also
A user can still insert remote CSS to make their profile appear to be something it's not - like a Valve employee profile, or a Mod profile, etc.
Comment has been collapsed.
Sooooo? :/ It's just about giving your info on a fake site identical to steam?
Comment has been collapsed.
No, also scripting it sounds like. So they insert javascript code in the page that you're viewing, and it acts like you in the browser to do stuff in the market, like buying items.
Comment has been collapsed.
Oh, so even if you don't give your info, it's enough to get affected? :O Damn. :(
Comment has been collapsed.
NO.
What this is about is calling URLs from a Tab in the same domain. means from steamcommunity.com/profile/XXX you can call steamcommunity.com/market/buyOverpricedItem and for steam its the same as if you would have bought the item yourself.
You can NOT influence or read other tabs (only if both are manipulated) and you can not do Cross-Domain stuff (not calling store.steampowered from steamcommunity).
Comment has been collapsed.
So, it doesn't matter if I click on a link? The problem is when I check steam profiles with implemented javascript codes? So, nothing will happen if I check out "healthy" steam profiles or groups and, especially, nothing will happen if steam on browser won't ask me my name and password? I mean, this trick only works to get your info by joining a fake site identical to steam and giving them your name and password? And it only works on browsers?
Comment has been collapsed.
You'll never know if a profile is healthy and no, it's not only the fake site thing (that's called phishing)
it could modify what do you see, like adding a legit "steam member" badge on a random user, or buy something on the market
Comment has been collapsed.
And the last thing is the mosty scary. o.O Damn, I hope I didn't get harmed. ;_;
Comment has been collapsed.
I read everything and I can understand now, but if I can't assume that any profile is healthy, then how can I know that I'm not affected already, since I'm usually using steam on browser?
EDIT: I read your edit. This only works when having a browser window (with steam obviously) open or no matter what (as long as you visited an affected profile at some point obviously)?
Comment has been collapsed.
Btw, a guy added me yesterday, telling me to avoid a guy named (can't say the name here) because he scammed him. I checked him out on my steam APP (not from browser), by searching his name on steam community. Then, I copied-pasted his profile link on steamrep and saw that he is already banned there, so I told the other guy he's already marked as a scammer. Then he told me he didn't know it, he wrote me a troll text that he had in his steam description, then deleted me. Should I be worried? You can't possibly know if he wanted to affect my profile, but did I do anything that would put me in harm's way? And finally, when this thing get fixed, even if I got affected, should I still be worried? I disconnected steam from my browser, btw. These are my final questions, so don't hate me. :B Thanks a lot for your help.
Comment has been collapsed.
Of course you can't know that - I only asked if there's a possibility that this happened. Anyway, thanks a lot. Have a nice day. ;)
Comment has been collapsed.
This exploit happens in activity feed too, so it may be a good idea to not open the activity feed until this is fixed.
Comment has been collapsed.
Not yet. At least the existing guide showcases are still there for now.
Comment has been collapsed.
I'm going to report you to Interpol for home privacy invasion
Comment has been collapsed.
Change your password and stay away from the steam community and you should be fine. I almost got fucked over already by someone my boyfriend knows >.>
Comment has been collapsed.
You can still annoy them, just dont visit any page.
I have 6 unread messages so I will assume that was you :P Gonna read it when I am home in an hour ;)
Comment has been collapsed.
After yesterday I dont believe you for a second ;)
Comment has been collapsed.
You can't buy without an account, so obviously yes
Comment has been collapsed.
3 Comments - Last post 7 minutes ago by Sh4dowKill
1,039 Comments - Last post 17 minutes ago by sensualshakti
0 Comments - Created 21 minutes ago by sensualshakti
16,404 Comments - Last post 21 minutes ago by KASS
172 Comments - Last post 22 minutes ago by PARKWONJIN
36 Comments - Last post 27 minutes ago by GarlicToast
3 Comments - Last post 28 minutes ago by RowdyOne
7 Comments - Last post 1 minute ago by vigaristti
232 Comments - Last post 3 minutes ago by Zarddin
8 Comments - Last post 7 minutes ago by Damark
2,574 Comments - Last post 7 minutes ago by amcat
28,466 Comments - Last post 12 minutes ago by MarshallBanana0815
391 Comments - Last post 13 minutes ago by bajok
77 Comments - Last post 20 minutes ago by cyan3675
https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/
Wow, another exploit, how unexpected
TL;DR
Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN ACTIVITY FEED (both desktop and mobile versions on all browsers).
update:
update 2:
Steam Profiles are safe to visit now.
Activity Feed might still be affected
update 3:
Fixed
Comment has been collapsed.