Bump!
I think you should put [PSA] or something like that
Comment has been collapsed.
"Publice Service Announcement"
http://www.urbandictionary.com/define.php?term=psa
It doesn't have "PSA" in the title before, that's why I'm telling OP to do it.. :3
Other PSA thread on SG
Comment has been collapsed.
Oh, nice to know, for some reason I always though it means Please Stay Alert, which in the end has a similar meaning/effect I guess.
Comment has been collapsed.
Oh, I was just about to create similar thread but then noticed this. Good I didn't double it.
Thanks for the info and let's hope this exploit will get fixed very soon...
Comment has been collapsed.
Did you just say... B A N A N A ?
Comment has been collapsed.
ouch, what is this?
got a friend request right yesterday from an unknown profile and obviously went to check why.
didn't accept and this morning the request was gone :\
Comment has been collapsed.
I don't even get it. o.O Even if you check your own profile on a browser, you may get affected? o.O Or there are some specific malicious links that they'll send you and you'll get affected by clicking on them? Someone explain. :/
Comment has been collapsed.
I can't understand anything of what they're saying. ;_;
Comment has been collapsed.
Of what I understood reading the Reddit thread, it probably redirects you somewhere else when clicking on the profiles.
Comment has been collapsed.
So, it redirects you on a fake site, identical to steam? So, you'll only get affected by clicking on a steam link? Not by checking your own steam profile, a friend's steam profile, etc? Only these specific malicious links will affect you?
Comment has been collapsed.
You click on a real steam link and it redirects you to an identical website. There are no malicious links (to my understanding, if I am wrong please someone correct me).
Comment has been collapsed.
So, it's only about giving your name and password to a fake site? That kind of link?
Comment has been collapsed.
So it seems. The problem is that you are on a legit URL and you get redirected by clicking on that legit URL's content. I personally wouldn't suspect a thing, I would think that it is Steam derping once more (as it usually does).
Comment has been collapsed.
It's still a really old trick. I mean, giving someone a link of a fake site in order to give his info, is a really old scamming trick. So, I shouldn't be afraid if I didn't click on anything? :/ Because, in the other comments, they're saying otherwise. :(
Comment has been collapsed.
ÎĶÎŊÎŧÎŋÏ ÏÏÎÏÎĩÎđ ÎĩÎđÎŧÎđΚÏÎđÎ―ÎŽ Î―Îą ΞΎÎļÎĩÎđÏ ÎšÎąÎŧÏÏÎĩÏÎą ÎÎģÎģÎŧÎđΚΎ, ÎļÎą ÏÎĩ ÎēÎŋηÎļÎŪÏÎĩÎđ. ÎÎĩÎ― ÏÎŋÏ ÎīÎŊÎ―ÎĩÎđ ÎšÎąÎ―ÎĩÎŊÏ ÎšÎąÎ―ÎÎ―Îą Link. ÎÏÎąÎŊÎ―ÎĩÎđÏ ÏÏÎŋ profile ÏÎŋÏ ÏÎŊÎŧÎŋÏ ÏÎŋÏ ÎąÏÏ ÏÎŋÎ― Browser ΚιÎđ ÎąÎ― ÎĩÎŊÎ―ÎąÎđ affected ÏÎŋ profile ÏÎŋÏ , ÎąÏÏÎŊÎķÎĩÎđ ΚιÎđ ÏÏÎÏÎĩÎđ ÎÎ―Îą Javascript. ÎĪÎŋ script ÎąÏ ÏÏ ÏÎĩ ÏÎŽÎĩÎđ ÎąÏ ÏÏΞιÏÎą ÏÎĩ ÎÎ―Îą ÎŽÎŧÎŧÎŋ phishing site ÏÎŋÏ ÏÎĩ ÎķηÏÎŽÎĩÎđ Î―Îą ÎšÎŽÎ―ÎĩÎđÏ Login. ÎĪÎŋ ÏÏÏÎēÎŧηΞι ÎĩÎŊÎ―ÎąÎđ ÏÏÎđ ÎĩÎŊÏÎąÎđ ÏÏÎ·Î― ÎÎĨÎÎÎÎĪÎÎÎ ÎđÏÏÎŋÏÎĩÎŧÎŊÎīÎą ÏÎŋÏ Steam, ΚιÎđ ÎąÏ ÏÏ ÎąÏ ÏÏΞιÏÎą ÏÎĩ ΚιÎļÎŋÎīηÎģÎĩÎŊ ÏÎĩ ΞÎđÎą ÎŽÎŧÎŧη ÏÎĩÏÏÎđΚη.
Î ÏÎąÎģΞιÏÎđΚΎ ÎĩÎŧÏÎŊÎķÏ Î―Îą ΚιÏÎŽÎŧÎąÎēÎĩÏ ÏÏÏÎą.
Comment has been collapsed.
ÎÎąÎđ, ÏÎŋ ΚιÏÎŽÎŧÎąÎēÎą ΚιÎđ ÎūÎÏÏ ÎŪÎīη ΚιÎŧÎŽ ÎąÎģÎģÎŧÎđΚΎ. ÎÎŊÏÎĩ ÏÎŋÏ ÎīÎŊÎ―ÎŋÏ Î― ΚΎÏÎŋÎđÎŋÎđ ÎÎ―Îą link ÎĩÎ―ÏÏ affected profile ÎĩÎŊÏÎĩ ÏÎŋ ΚÎŋÎđÏÎŽÏ ÎąÏÏ ÎžÏÎ―ÎŋÏ ÏÎŋÏ ÎšÎąÎđ ÏÎŋÏ ÎšÎŽÎ―ÎĩÎđ redirect ÏÎĩ fake site. ÎĪÎŋ ΚιÏÎŽÎŧÎąÎēÎą ΚιÎđ, ÎąÎ― ÏÎąÏÎąÏηÏÎŪÏÎĩÎđÏ, ÏÎŋ'ÏÏ ÎģÏÎŽÏÎĩÎđ ΚιÎđ ÏÏÎŋÎ― Sighery. ÎĪÎŋ ÎļÎΞι ÎĩÎŊÎ―ÎąÎđ ÏÏÎđ, ÏÎŋ Î―Îą ÎīÎŊÎ―ÎĩÎđÏ ÏÎą ÏÏÎŋÎđÏÎĩÎŊÎą ÏÎŋÏ ÏÎĩ ÎÎ―Îą fake site, ιΚÏΞη ΚιÎđ ÎąÎ― ÎģÎŊÎ―ÎĩÏÎąÎđ ΞÎÏÏ ÎĩÎ―ÏÏ legit link, ÎĩÎŊÎ―ÎąÎđ ÏιΞÏÎŽÎŧÎąÎđÎŋ scamming ΚÏÎŧÏÎŋ.
Comment has been collapsed.
ÎĪÎŋ ÎļÎΞι ÎīÎĩÎ― ÎĩÎŊÎ―ÎąÎđ ÏÎŋ ÏÏÎđ ÎīÎŊÎ―ÎĩÎđÏ ÏÎą ÏÏÎŋÎđÏÎĩÎŊÎą ÏÎŋÏ , ÎąÎŧÎŧÎŽ ÏÎŋ ÏÏÎđ ΚΎÏÎŋÎđÎŋÏ ÎžÏÏÏÎĩÏÎĩ Î―Îą ÎšÎŽÎ―ÎĩÎđ inject javascripts ÏÏÎŋ Steam profile. ÎĪÎŋ ÎģÎĩÎģÎŋÎ―ÏÏ ÏÏÎđ ÎīÎĩÎ― ΞÏÎŋÏÎĩÎŊ Î―Îą ÎšÎŽÎ―ÎĩÎđ ΚΎÏÎđ ÎŽÎŧÎŧÎŋ ΞÎĩ ÎąÏ ÏÏ (ÎąÏ ÏÏΞιÏÎą trades ΚÎŧÏ.) ÎĩÎŊÎ―ÎąÎđ ÎŧÏÎģÎŋ ΚΎÏÎŋÎđÎŋÎ― ÏÎĩÏÎđÎŋÏÎđÏΞÏÎ― ÏÎŋÏ Steam. ÎĪÎŋ ÏÎŧÎŋ ΚÏÎŧÏÎŋ ÎīÎĩÎ― ÎĩÎŊÎ―ÎąÎđ ÏÏÎđ ÏÎĩ ÎšÎŽÎ―ÎĩÎđ redirect ÏÎĩ phishing sites, ÎąÎŧÎŧÎŽ ÏÎŋ ÏÏÎđ ÏÎĩ ÎšÎŽÎ―ÎĩÎđ redirect.
ÎÎŋΞÎŊÎķÏ ÏÎąÏÏΞÎŋÎđÎŋ ÎŪÏÎąÎ― ΚιÎđ ÎĩΚÎĩÎŊÎ―Îŋ ÏÎŋÏ ÏÎĩ ÎÎšÎąÎ―Îĩ redirect ÏÎĩ random Steam account's ΚιÎđ ΞÏÎŋÏÎŋÏÏÎĩÏ Î―Îą ÎīÎĩÎđÏ ÏÎą ÏÏÎŋÎđÏÎĩÎŊÎą ÏÎŋÏ Ï.
Comment has been collapsed.
ÎÎÎ―Îĩ ÏÏÎđ ΞÏÎŋÏÎĩÎŊ Î―Îą ÎąÎģÎŋÏÎŽÏÎĩÎđ ÎąÏÏ ÎžÏÎ―Îŋ ÏÎŋÏ ÎšÎąÎđ ÏÏÎŽÎģΞιÏÎą ÎąÏÏ ÏÎŋ steam market. ÎÎąÎđ ÎąÎ― ÎÏÏ ÏÎŽÎļÎĩÎđ ÎŪÎīη ÎąÏ ÏÎŪÎ― Ïη ΞιÎŧιΚÎŊÎą, ÏÏÏ ÎžÏÎŋÏÏ Î―Îą ÏÎŋ ÎūÎÏÏ (ÏÏÎŋÏÎąÎ―ÏÏ ÎļÎą ÏÎŋ'ÎūÎĩÏÎą ÎŪÎīη ÎąÎ― ÎĩÎŊÏÎąÎ― ÎąÎģÎŋÏÎŽÏÎĩÎđ ÏÏÎŽÎģΞιÏÎą ÎąÏÏ ÏÎŋ ÎŧÎŋÎģÎąÏÎđÎąÏÎžÏ ÎžÎŋÏ ); ÎÏÎĩÎđÎīÎŪ ÏÏηÏÎđΞÎŋÏÎŋÎđÏ ÏÎŋ steam ÎąÏÏ browser ÎŋÏ Îš ÎŋÎŧÎŊÎģÎĩÏ ÏÎŋÏÎÏ.
Comment has been collapsed.
ÎÏÎĩÎđÎīÎŪ ÎĩÎŊÏÎąÎđ ÎŪÎīη ÏÏ Î―ÎīÎĩÎīÎĩΞÎÎ―ÎŋÏ ÏÏÎŋ Steam ÎąÏÏ ÏÎŋÎ― browser ÏÎŋÏ , Î―ÎąÎđ ÎļÎĩÏÏηÏÎđΚΎ ÎļÎą ΞÏÎŋÏÎŋÏÏÎĩ Î―Îą ÎąÎģÎŋÏÎŽÏÎĩÎđ ÎąÏÏ ÎžÏÎ―Îŋ ÏÎŋÏ (ÎąÎ― ÏÎŋÏ ÎÎšÎąÎ―Îĩ inject ÏÎŋ script). ÎĄÎĩÎąÎŧÎđÏÏÎđΚΎ ΞÎđÎŧÏÎ―ÏÎąÏ, ÎīÎĩÎ― ÎūÎÏÏ ÎšÎąÏÎŽ ÏÏÏÎŋ ÎąÏ ÏÏ ÎģÎŊÎ―ÎĩÏÎąÎđ. ÎÎą ÎÎŧÎĩÎģÎą ÎĩÎūÎąÏÏÎŽÏÎąÎđ ÎąÏÏ ÏÎđÏ ÎđÎšÎąÎ―ÏÏηÏÎĩÏ ÏÎŋÏ coder.
ÎÎą ÏÎĩ ÏÏ ÎžÎēÎŋÏÎŧÎĩÏ Îą ÎąÏÎŧÎŽ Î―Îą ÎžÎ·Î― ÎšÎŽÎ―ÎĩÎđÏ browsing ΚιÎđ Î―Îą ÎšÎŽÎ―ÎĩÎđÏ Logout ÎąÏÏ ÏÎŋ Browser ÏÎŋÏ , ÎģÎđÎą ΚΎÎļÎĩ ÎĩÎ―ÎīÎĩÏÏΞÎĩÎ―Îŋ.
Comment has been collapsed.
ÎÎšÎąÎ―Îą disconnect ÏÎŋ steam ÎąÏÏ ÏÎŋÎ― browser. ÎÏÎŧÎŽ, ÏÏÏÏ ÎĩÎŊÏÎą, ÏÏÏ ÎžÏÎŋÏÏ Î―Îą ÎūÎÏÏ ÏÏÎđ ÎīÎĩ ΞÎĩ ÎÏÎĩÎđ ÎĩÏηÏÎĩÎŽÏÎĩÎđ; ÎÎ― ÏÎŋ ÎīÎđÎŋÏÎļÏÏÎŋÏ Î―Îĩ ÏÎŋ ÏÏÏÎēÎŧηΞι, ιΚÏΞι ΚιÎđ ÎąÎ― ÎĩÎŊÏÎą ÎĩÏηÏÎĩÎąÏÏÎĩÎŊ, ÎļÎą ÎĩÎŊΞιÎđ ÏÎđÎą ÎąÏÏÎąÎŧÎŪÏ;
Comment has been collapsed.
ÎÏÎĩÎđÎīÎŪ ÎīÎĩÎ― ÎūÎÏÏ ÏÎŋÎŧÎŧÎŽ ÎąÏÏ coding, ÎīÎĩÎ― ΞÏÎŋÏÏ Î―Îą ÏÎŋÏ ÎąÏÎąÎ―ÏÎŪÏÏ ÏÏÎŋ ÏÏÏ ÎžÏÎŋÏÎĩÎŊÏ Î―Îą ÎĩÎŊÏÎąÎđ ÏÎŊÎģÎŋÏ ÏÎŋÏ ÏÏÎđ ÎīÎĩÎ― ÎĩÏηÏÎĩÎŽÏÏηΚÎĩÏ. ÎÎ― ÏÎŋ ÎīÎđÎŋÏÎļÏÏÎŋÏ Î―, ÎŧÎŋÎģÎđΚΎ ÎļÎą ÎĩÎŊÏÎąÎđ ÎąÏÏÎąÎŧÎŪÏ ÏÎđÎą. ÎÎŧÎŧÎŽ ÏÏÏÏ ÎĩÎŊÏÎą, ÎīÎĩÎ― ÎģÎ―ÏÏÎŊÎķÏ.
Comment has been collapsed.
Viewing your own profile should be fine from what I get from it.
Just don't go anywhere else. Avoid checking groups as well.
But I guess they're being too vague. They're making it sound like you could even infect a profile yourself, with a comment or so. Or like a game store page with a review. In that case if you have a public comment section not even your profile would be safe.
So unless there is more info about it I would avoid everything. :p
Comment has been collapsed.
So, just don't do anything on browser related to steam, only through steam app?
Comment has been collapsed.
It depends. I don't know what's wrong atm, but if your comment wall is set to private your profile is probably safe
Comment has been collapsed.
Some explanation from a comment in the thread:
With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:
Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.
Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.
Manipulate elements on the page as they see fit.Also
A user can still insert remote CSS to make their profile appear to be something it's not - like a Valve employee profile, or a Mod profile, etc.Comment has been collapsed.
Sooooo? :/ It's just about giving your info on a fake site identical to steam?
Comment has been collapsed.
No, also scripting it sounds like. So they insert javascript code in the page that you're viewing, and it acts like you in the browser to do stuff in the market, like buying items.
Comment has been collapsed.
Oh, so even if you don't give your info, it's enough to get affected? :O Damn. :(
Comment has been collapsed.
As far as i know, if you have opened one infected tab, and you open, lets say bank account website in other tab and login, you can read login in password from other tabs... Javascript blocker for life.
Comment has been collapsed.
NO.
What this is about is calling URLs from a Tab in the same domain. means from steamcommunity.com/profile/XXX you can call steamcommunity.com/market/buyOverpricedItem and for steam its the same as if you would have bought the item yourself.
You can NOT influence or read other tabs (only if both are manipulated) and you can not do Cross-Domain stuff (not calling store.steampowered from steamcommunity).
Comment has been collapsed.
I've just installed to see what this no script blocker thing was for and it looked like in the picture. Nothing new, my phone was always blocking those and now I'm in a pc browser which websites don't work properly in it. Don't know how to set up it though.
Comment has been collapsed.
You should have white bar at bottom. You press setttings and something like "dont block steamgifts.com"
You can do the same for domains you feel secure.
On other hand you will see how many websites use scripts from external domains...
Comment has been collapsed.
So, it doesn't matter if I click on a link? The problem is when I check steam profiles with implemented javascript codes? So, nothing will happen if I check out "healthy" steam profiles or groups and, especially, nothing will happen if steam on browser won't ask me my name and password? I mean, this trick only works to get your info by joining a fake site identical to steam and giving them your name and password? And it only works on browsers?
Comment has been collapsed.
You'll never know if a profile is healthy and no, it's not only the fake site thing (that's called phishing)
it could modify what do you see, like adding a legit "steam member" badge on a random user, or buy something on the market
Comment has been collapsed.
And the last thing is the mosty scary. o.O Damn, I hope I didn't get harmed. ;_;
Comment has been collapsed.
I read everything and I can understand now, but if I can't assume that any profile is healthy, then how can I know that I'm not affected already, since I'm usually using steam on browser?
EDIT: I read your edit. This only works when having a browser window (with steam obviously) open or no matter what (as long as you visited an affected profile at some point obviously)?
Comment has been collapsed.
Btw, a guy added me yesterday, telling me to avoid a guy named (can't say the name here) because he scammed him. I checked him out on my steam APP (not from browser), by searching his name on steam community. Then, I copied-pasted his profile link on steamrep and saw that he is already banned there, so I told the other guy he's already marked as a scammer. Then he told me he didn't know it, he wrote me a troll text that he had in his steam description, then deleted me. Should I be worried? You can't possibly know if he wanted to affect my profile, but did I do anything that would put me in harm's way? And finally, when this thing get fixed, even if I got affected, should I still be worried? I disconnected steam from my browser, btw. These are my final questions, so don't hate me. :B Thanks a lot for your help.
Comment has been collapsed.
This exploit happens in activity feed too, so it may be a good idea to not open the activity feed until this is fixed.
Comment has been collapsed.
update:
Valve have disabled Guide Showcases which means noone else can attempt this exploit. Now we just wait for them to clean up the profiles that have already abused this.
Comment has been collapsed.
Ouch make me feel worried... :/
Anyway thank you for the info
Comment has been collapsed.
Yeah how the bloody hell you can be sure you are not infected? :/
Comment has been collapsed.
Yep
Steam will put an end to it and quickly i hope.
Comment has been collapsed.
Change your password and stay away from the steam community and you should be fine. I almost got fucked over already by someone my boyfriend knows >.>
Comment has been collapsed.
But but i want to annoy my steam friends. :x
You know like give them 10 notifications. :p
Comment has been collapsed.
You can still annoy them, just dont visit any page.
I have 6 unread messages so I will assume that was you :P Gonna read it when I am home in an hour ;)
Comment has been collapsed.
After yesterday I dont believe you for a second ;)
Comment has been collapsed.
Would a logout from the Browser help? They can't take any actions on an account if there is no account in the first place, can they?
Comment has been collapsed.
it's still safe to use any steamrelated addon on firefox/chrome? (things like enhanced steam)
Comment has been collapsed.
BUMP. Just posted it in 3 my country facebook groups. I want people to be safe.
Comment has been collapsed.
Meh, okay. What am I going to lose with that script? I assume they will fully reimburse all the loses if that script hits me, cause it's completely 100% their fault with holes in their security.
ðĪĶââïļ
Comment has been collapsed.
Another reason why we should have nuked javascript from the face of the Earth ages ago.
Comment has been collapsed.
https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/
Wow, another exploit, how unexpected
TL;DR
Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN ACTIVITY FEED (both desktop and mobile versions on all browsers).
update:
update 2:
Steam Profiles are safe to visit now.
Activity Feed might still be affected
update 3:
Fixed
Comment has been collapsed.