"Publice Service Announcement"
http://www.urbandictionary.com/define.php?term=psa
It doesn't have "PSA" in the title before, that's why I'm telling OP to do it.. :3
Other PSA thread on SG
Comment has been collapsed.
Oh, I was just about to create similar thread but then noticed this. Good I didn't double it.
Thanks for the info and let's hope this exploit will get fixed very soon...
Comment has been collapsed.
Comment has been collapsed.
I don't think so, if you really need to open a profile at least use a no-script extension
Comment has been collapsed.
I don't even get it. o.O Even if you check your own profile on a browser, you may get affected? o.O Or there are some specific malicious links that they'll send you and you'll get affected by clicking on them? Someone explain. :/
Comment has been collapsed.
I can't understand anything of what they're saying. ;_;
Comment has been collapsed.
So, it redirects you on a fake site, identical to steam? So, you'll only get affected by clicking on a steam link? Not by checking your own steam profile, a friend's steam profile, etc? Only these specific malicious links will affect you?
Comment has been collapsed.
So, it's only about giving your name and password to a fake site? That kind of link?
Comment has been collapsed.
It's still a really old trick. I mean, giving someone a link of a fake site in order to give his info, is a really old scamming trick. So, I shouldn't be afraid if I didn't click on anything? :/ Because, in the other comments, they're saying otherwise. :(
Comment has been collapsed.
ÎĶÎŊÎŧÎŋÏ ÏÏÎÏÎĩÎđ ÎĩÎđÎŧÎđΚÏÎđÎ―ÎŽ Î―Îą ΞΎÎļÎĩÎđÏ ÎšÎąÎŧÏÏÎĩÏÎą ÎÎģÎģÎŧÎđΚΎ, ÎļÎą ÏÎĩ ÎēÎŋηÎļÎŪÏÎĩÎđ. ÎÎĩÎ― ÏÎŋÏ ÎīÎŊÎ―ÎĩÎđ ÎšÎąÎ―ÎĩÎŊÏ ÎšÎąÎ―ÎÎ―Îą Link. ÎÏÎąÎŊÎ―ÎĩÎđÏ ÏÏÎŋ profile ÏÎŋÏ ÏÎŊÎŧÎŋÏ ÏÎŋÏ ÎąÏÏ ÏÎŋÎ― Browser ΚιÎđ ÎąÎ― ÎĩÎŊÎ―ÎąÎđ affected ÏÎŋ profile ÏÎŋÏ , ÎąÏÏÎŊÎķÎĩÎđ ΚιÎđ ÏÏÎÏÎĩÎđ ÎÎ―Îą Javascript. ÎĪÎŋ script ÎąÏ ÏÏ ÏÎĩ ÏÎŽÎĩÎđ ÎąÏ ÏÏΞιÏÎą ÏÎĩ ÎÎ―Îą ÎŽÎŧÎŧÎŋ phishing site ÏÎŋÏ ÏÎĩ ÎķηÏÎŽÎĩÎđ Î―Îą ÎšÎŽÎ―ÎĩÎđÏ Login. ÎĪÎŋ ÏÏÏÎēÎŧηΞι ÎĩÎŊÎ―ÎąÎđ ÏÏÎđ ÎĩÎŊÏÎąÎđ ÏÏÎ·Î― ÎÎĨÎÎÎÎĪÎÎÎ ÎđÏÏÎŋÏÎĩÎŧÎŊÎīÎą ÏÎŋÏ Steam, ΚιÎđ ÎąÏ ÏÏ ÎąÏ ÏÏΞιÏÎą ÏÎĩ ΚιÎļÎŋÎīηÎģÎĩÎŊ ÏÎĩ ΞÎđÎą ÎŽÎŧÎŧη ÏÎĩÏÏÎđΚη.
Î ÏÎąÎģΞιÏÎđΚΎ ÎĩÎŧÏÎŊÎķÏ Î―Îą ΚιÏÎŽÎŧÎąÎēÎĩÏ ÏÏÏÎą.
Comment has been collapsed.
ÎÎąÎđ, ÏÎŋ ΚιÏÎŽÎŧÎąÎēÎą ΚιÎđ ÎūÎÏÏ ÎŪÎīη ΚιÎŧÎŽ ÎąÎģÎģÎŧÎđΚΎ. ÎÎŊÏÎĩ ÏÎŋÏ ÎīÎŊÎ―ÎŋÏ Î― ΚΎÏÎŋÎđÎŋÎđ ÎÎ―Îą link ÎĩÎ―ÏÏ affected profile ÎĩÎŊÏÎĩ ÏÎŋ ΚÎŋÎđÏÎŽÏ ÎąÏÏ ÎžÏÎ―ÎŋÏ ÏÎŋÏ ÎšÎąÎđ ÏÎŋÏ ÎšÎŽÎ―ÎĩÎđ redirect ÏÎĩ fake site. ÎĪÎŋ ΚιÏÎŽÎŧÎąÎēÎą ΚιÎđ, ÎąÎ― ÏÎąÏÎąÏηÏÎŪÏÎĩÎđÏ, ÏÎŋ'ÏÏ ÎģÏÎŽÏÎĩÎđ ΚιÎđ ÏÏÎŋÎ― Sighery. ÎĪÎŋ ÎļÎΞι ÎĩÎŊÎ―ÎąÎđ ÏÏÎđ, ÏÎŋ Î―Îą ÎīÎŊÎ―ÎĩÎđÏ ÏÎą ÏÏÎŋÎđÏÎĩÎŊÎą ÏÎŋÏ ÏÎĩ ÎÎ―Îą fake site, ιΚÏΞη ΚιÎđ ÎąÎ― ÎģÎŊÎ―ÎĩÏÎąÎđ ΞÎÏÏ ÎĩÎ―ÏÏ legit link, ÎĩÎŊÎ―ÎąÎđ ÏιΞÏÎŽÎŧÎąÎđÎŋ scamming ΚÏÎŧÏÎŋ.
Comment has been collapsed.
ÎĪÎŋ ÎļÎΞι ÎīÎĩÎ― ÎĩÎŊÎ―ÎąÎđ ÏÎŋ ÏÏÎđ ÎīÎŊÎ―ÎĩÎđÏ ÏÎą ÏÏÎŋÎđÏÎĩÎŊÎą ÏÎŋÏ , ÎąÎŧÎŧÎŽ ÏÎŋ ÏÏÎđ ΚΎÏÎŋÎđÎŋÏ ÎžÏÏÏÎĩÏÎĩ Î―Îą ÎšÎŽÎ―ÎĩÎđ inject javascripts ÏÏÎŋ Steam profile. ÎĪÎŋ ÎģÎĩÎģÎŋÎ―ÏÏ ÏÏÎđ ÎīÎĩÎ― ΞÏÎŋÏÎĩÎŊ Î―Îą ÎšÎŽÎ―ÎĩÎđ ΚΎÏÎđ ÎŽÎŧÎŧÎŋ ΞÎĩ ÎąÏ ÏÏ (ÎąÏ ÏÏΞιÏÎą trades ΚÎŧÏ.) ÎĩÎŊÎ―ÎąÎđ ÎŧÏÎģÎŋ ΚΎÏÎŋÎđÎŋÎ― ÏÎĩÏÎđÎŋÏÎđÏΞÏÎ― ÏÎŋÏ Steam. ÎĪÎŋ ÏÎŧÎŋ ΚÏÎŧÏÎŋ ÎīÎĩÎ― ÎĩÎŊÎ―ÎąÎđ ÏÏÎđ ÏÎĩ ÎšÎŽÎ―ÎĩÎđ redirect ÏÎĩ phishing sites, ÎąÎŧÎŧÎŽ ÏÎŋ ÏÏÎđ ÏÎĩ ÎšÎŽÎ―ÎĩÎđ redirect.
ÎÎŋΞÎŊÎķÏ ÏÎąÏÏΞÎŋÎđÎŋ ÎŪÏÎąÎ― ΚιÎđ ÎĩΚÎĩÎŊÎ―Îŋ ÏÎŋÏ ÏÎĩ ÎÎšÎąÎ―Îĩ redirect ÏÎĩ random Steam account's ΚιÎđ ΞÏÎŋÏÎŋÏÏÎĩÏ Î―Îą ÎīÎĩÎđÏ ÏÎą ÏÏÎŋÎđÏÎĩÎŊÎą ÏÎŋÏ Ï.
Comment has been collapsed.
ÎÎÎ―Îĩ ÏÏÎđ ΞÏÎŋÏÎĩÎŊ Î―Îą ÎąÎģÎŋÏÎŽÏÎĩÎđ ÎąÏÏ ÎžÏÎ―Îŋ ÏÎŋÏ ÎšÎąÎđ ÏÏÎŽÎģΞιÏÎą ÎąÏÏ ÏÎŋ steam market. ÎÎąÎđ ÎąÎ― ÎÏÏ ÏÎŽÎļÎĩÎđ ÎŪÎīη ÎąÏ ÏÎŪÎ― Ïη ΞιÎŧιΚÎŊÎą, ÏÏÏ ÎžÏÎŋÏÏ Î―Îą ÏÎŋ ÎūÎÏÏ (ÏÏÎŋÏÎąÎ―ÏÏ ÎļÎą ÏÎŋ'ÎūÎĩÏÎą ÎŪÎīη ÎąÎ― ÎĩÎŊÏÎąÎ― ÎąÎģÎŋÏÎŽÏÎĩÎđ ÏÏÎŽÎģΞιÏÎą ÎąÏÏ ÏÎŋ ÎŧÎŋÎģÎąÏÎđÎąÏÎžÏ ÎžÎŋÏ ); ÎÏÎĩÎđÎīÎŪ ÏÏηÏÎđΞÎŋÏÎŋÎđÏ ÏÎŋ steam ÎąÏÏ browser ÎŋÏ Îš ÎŋÎŧÎŊÎģÎĩÏ ÏÎŋÏÎÏ.
Comment has been collapsed.
ÎÏÎĩÎđÎīÎŪ ÎĩÎŊÏÎąÎđ ÎŪÎīη ÏÏ Î―ÎīÎĩÎīÎĩΞÎÎ―ÎŋÏ ÏÏÎŋ Steam ÎąÏÏ ÏÎŋÎ― browser ÏÎŋÏ , Î―ÎąÎđ ÎļÎĩÏÏηÏÎđΚΎ ÎļÎą ΞÏÎŋÏÎŋÏÏÎĩ Î―Îą ÎąÎģÎŋÏÎŽÏÎĩÎđ ÎąÏÏ ÎžÏÎ―Îŋ ÏÎŋÏ (ÎąÎ― ÏÎŋÏ ÎÎšÎąÎ―Îĩ inject ÏÎŋ script). ÎĄÎĩÎąÎŧÎđÏÏÎđΚΎ ΞÎđÎŧÏÎ―ÏÎąÏ, ÎīÎĩÎ― ÎūÎÏÏ ÎšÎąÏÎŽ ÏÏÏÎŋ ÎąÏ ÏÏ ÎģÎŊÎ―ÎĩÏÎąÎđ. ÎÎą ÎÎŧÎĩÎģÎą ÎĩÎūÎąÏÏÎŽÏÎąÎđ ÎąÏÏ ÏÎđÏ ÎđÎšÎąÎ―ÏÏηÏÎĩÏ ÏÎŋÏ coder.
ÎÎą ÏÎĩ ÏÏ ÎžÎēÎŋÏÎŧÎĩÏ Îą ÎąÏÎŧÎŽ Î―Îą ÎžÎ·Î― ÎšÎŽÎ―ÎĩÎđÏ browsing ΚιÎđ Î―Îą ÎšÎŽÎ―ÎĩÎđÏ Logout ÎąÏÏ ÏÎŋ Browser ÏÎŋÏ , ÎģÎđÎą ΚΎÎļÎĩ ÎĩÎ―ÎīÎĩÏÏΞÎĩÎ―Îŋ.
Comment has been collapsed.
ÎÎšÎąÎ―Îą disconnect ÏÎŋ steam ÎąÏÏ ÏÎŋÎ― browser. ÎÏÎŧÎŽ, ÏÏÏÏ ÎĩÎŊÏÎą, ÏÏÏ ÎžÏÎŋÏÏ Î―Îą ÎūÎÏÏ ÏÏÎđ ÎīÎĩ ΞÎĩ ÎÏÎĩÎđ ÎĩÏηÏÎĩÎŽÏÎĩÎđ; ÎÎ― ÏÎŋ ÎīÎđÎŋÏÎļÏÏÎŋÏ Î―Îĩ ÏÎŋ ÏÏÏÎēÎŧηΞι, ιΚÏΞι ΚιÎđ ÎąÎ― ÎĩÎŊÏÎą ÎĩÏηÏÎĩÎąÏÏÎĩÎŊ, ÎļÎą ÎĩÎŊΞιÎđ ÏÎđÎą ÎąÏÏÎąÎŧÎŪÏ;
Comment has been collapsed.
ÎÏÎĩÎđÎīÎŪ ÎīÎĩÎ― ÎūÎÏÏ ÏÎŋÎŧÎŧÎŽ ÎąÏÏ coding, ÎīÎĩÎ― ΞÏÎŋÏÏ Î―Îą ÏÎŋÏ ÎąÏÎąÎ―ÏÎŪÏÏ ÏÏÎŋ ÏÏÏ ÎžÏÎŋÏÎĩÎŊÏ Î―Îą ÎĩÎŊÏÎąÎđ ÏÎŊÎģÎŋÏ ÏÎŋÏ ÏÏÎđ ÎīÎĩÎ― ÎĩÏηÏÎĩÎŽÏÏηΚÎĩÏ. ÎÎ― ÏÎŋ ÎīÎđÎŋÏÎļÏÏÎŋÏ Î―, ÎŧÎŋÎģÎđΚΎ ÎļÎą ÎĩÎŊÏÎąÎđ ÎąÏÏÎąÎŧÎŪÏ ÏÎđÎą. ÎÎŧÎŧÎŽ ÏÏÏÏ ÎĩÎŊÏÎą, ÎīÎĩÎ― ÎģÎ―ÏÏÎŊÎķÏ.
Comment has been collapsed.
Viewing your own profile should be fine from what I get from it.
Just don't go anywhere else. Avoid checking groups as well.
But I guess they're being too vague. They're making it sound like you could even infect a profile yourself, with a comment or so. Or like a game store page with a review. In that case if you have a public comment section not even your profile would be safe.
So unless there is more info about it I would avoid everything. :p
Comment has been collapsed.
So, just don't do anything on browser related to steam, only through steam app?
Comment has been collapsed.
It depends. I don't know what's wrong atm, but if your comment wall is set to private your profile is probably safe
Comment has been collapsed.
Just like everyone, I have my comment wall available only for friends.
Comment has been collapsed.
Some explanation from a comment in the thread:
With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:
Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.
Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.
Manipulate elements on the page as they see fit.
Also
A user can still insert remote CSS to make their profile appear to be something it's not - like a Valve employee profile, or a Mod profile, etc.
Comment has been collapsed.
Sooooo? :/ It's just about giving your info on a fake site identical to steam?
Comment has been collapsed.
No, also scripting it sounds like. So they insert javascript code in the page that you're viewing, and it acts like you in the browser to do stuff in the market, like buying items.
Comment has been collapsed.
Oh, so even if you don't give your info, it's enough to get affected? :O Damn. :(
Comment has been collapsed.
NO.
What this is about is calling URLs from a Tab in the same domain. means from steamcommunity.com/profile/XXX you can call steamcommunity.com/market/buyOverpricedItem and for steam its the same as if you would have bought the item yourself.
You can NOT influence or read other tabs (only if both are manipulated) and you can not do Cross-Domain stuff (not calling store.steampowered from steamcommunity).
Comment has been collapsed.
So, it doesn't matter if I click on a link? The problem is when I check steam profiles with implemented javascript codes? So, nothing will happen if I check out "healthy" steam profiles or groups and, especially, nothing will happen if steam on browser won't ask me my name and password? I mean, this trick only works to get your info by joining a fake site identical to steam and giving them your name and password? And it only works on browsers?
Comment has been collapsed.
You'll never know if a profile is healthy and no, it's not only the fake site thing (that's called phishing)
it could modify what do you see, like adding a legit "steam member" badge on a random user, or buy something on the market
Comment has been collapsed.
And the last thing is the mosty scary. o.O Damn, I hope I didn't get harmed. ;_;
Comment has been collapsed.
I read everything and I can understand now, but if I can't assume that any profile is healthy, then how can I know that I'm not affected already, since I'm usually using steam on browser?
EDIT: I read your edit. This only works when having a browser window (with steam obviously) open or no matter what (as long as you visited an affected profile at some point obviously)?
Comment has been collapsed.
Btw, a guy added me yesterday, telling me to avoid a guy named (can't say the name here) because he scammed him. I checked him out on my steam APP (not from browser), by searching his name on steam community. Then, I copied-pasted his profile link on steamrep and saw that he is already banned there, so I told the other guy he's already marked as a scammer. Then he told me he didn't know it, he wrote me a troll text that he had in his steam description, then deleted me. Should I be worried? You can't possibly know if he wanted to affect my profile, but did I do anything that would put me in harm's way? And finally, when this thing get fixed, even if I got affected, should I still be worried? I disconnected steam from my browser, btw. These are my final questions, so don't hate me. :B Thanks a lot for your help.
Comment has been collapsed.
Of course you can't know that - I only asked if there's a possibility that this happened. Anyway, thanks a lot. Have a nice day. ;)
Comment has been collapsed.
This exploit happens in activity feed too, so it may be a good idea to not open the activity feed until this is fixed.
Comment has been collapsed.
Not yet. At least the existing guide showcases are still there for now.
Comment has been collapsed.
I'm going to report you to Interpol for home privacy invasion
Comment has been collapsed.
Change your password and stay away from the steam community and you should be fine. I almost got fucked over already by someone my boyfriend knows >.>
Comment has been collapsed.
You can still annoy them, just dont visit any page.
I have 6 unread messages so I will assume that was you :P Gonna read it when I am home in an hour ;)
Comment has been collapsed.
After yesterday I dont believe you for a second ;)
Comment has been collapsed.
You can't buy without an account, so obviously yes
Comment has been collapsed.
Yes, Python in the browser seems a lot safer ððð
Comment has been collapsed.
14 Comments - Last post 14 minutes ago by sensualshakti
42 Comments - Last post 15 minutes ago by t0b3berlin
881 Comments - Last post 21 minutes ago by sensualshakti
163 Comments - Last post 22 minutes ago by Acojonancio
1,390 Comments - Last post 2 hours ago by icaio
8,483 Comments - Last post 3 hours ago by InSpec
15,575 Comments - Last post 16 hours ago by devotee
50 Comments - Last post 2 seconds ago by Vincer
8 Comments - Last post 2 minutes ago by Kyog
39 Comments - Last post 25 minutes ago by nichgon
211 Comments - Last post 31 minutes ago by Cjcomplex
26,780 Comments - Last post 50 minutes ago by CommissarCiaphasCain
48 Comments - Last post 54 minutes ago by Kappaking
206 Comments - Last post 2 hours ago by Matty777
https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/
Wow, another exploit, how unexpected
TL;DR
Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN ACTIVITY FEED (both desktop and mobile versions on all browsers).
update:
update 2:
Steam Profiles are safe to visit now.
Activity Feed might still be affected
update 3:
Fixed
Comment has been collapsed.