Bump!
I think you should put [PSA] or something like that
Comment has been collapsed.
"Publice Service Announcement"
http://www.urbandictionary.com/define.php?term=psa
It doesn't have "PSA" in the title before, that's why I'm telling OP to do it.. :3
Other PSA thread on SG
Comment has been collapsed.
Oh, nice to know, for some reason I always though it means Please Stay Alert, which in the end has a similar meaning/effect I guess.
Comment has been collapsed.
Oh, I was just about to create similar thread but then noticed this. Good I didn't double it.
Thanks for the info and let's hope this exploit will get fixed very soon...
Comment has been collapsed.
Did you just say... B A N A N A ?
Comment has been collapsed.
ouch, what is this?
got a friend request right yesterday from an unknown profile and obviously went to check why.
didn't accept and this morning the request was gone :\
Comment has been collapsed.
I don't even get it. o.O Even if you check your own profile on a browser, you may get affected? o.O Or there are some specific malicious links that they'll send you and you'll get affected by clicking on them? Someone explain. :/
Comment has been collapsed.
I can't understand anything of what they're saying. ;_;
Comment has been collapsed.
Of what I understood reading the Reddit thread, it probably redirects you somewhere else when clicking on the profiles.
Comment has been collapsed.
So, it redirects you on a fake site, identical to steam? So, you'll only get affected by clicking on a steam link? Not by checking your own steam profile, a friend's steam profile, etc? Only these specific malicious links will affect you?
Comment has been collapsed.
You click on a real steam link and it redirects you to an identical website. There are no malicious links (to my understanding, if I am wrong please someone correct me).
Comment has been collapsed.
So, it's only about giving your name and password to a fake site? That kind of link?
Comment has been collapsed.
So it seems. The problem is that you are on a legit URL and you get redirected by clicking on that legit URL's content. I personally wouldn't suspect a thing, I would think that it is Steam derping once more (as it usually does).
Comment has been collapsed.
It's still a really old trick. I mean, giving someone a link of a fake site in order to give his info, is a really old scamming trick. So, I shouldn't be afraid if I didn't click on anything? :/ Because, in the other comments, they're saying otherwise. :(
Comment has been collapsed.
Φίλος πρέπει ειλικρινά να μάθεις καλύτερα Αγγλικά, θα σε βοηθήσει. Δεν σου δίνει κανείς κανένα Link. Μπαίνεις στο profile του φίλου σου από τον Browser και αν είναι affected το profile του, αρχίζει και τρέχει ένα Javascript. Το script αυτό σε πάει αυτόματα σε ένα άλλο phishing site που σε ζητάει να κάνεις Login. Το πρόβλημα είναι ότι είσαι στην ΑΥΘΕΝΤΙΚΗ ιστοσελίδα του Steam, και αυτό αυτόματα σε καθοδηγεί σε μια άλλη ψεύτικη.
Πραγματικά ελπίζω να κατάλαβες τώρα.
Comment has been collapsed.
Ναι, το κατάλαβα και ξέρω ήδη καλά αγγλικά. Είτε σου δίνουν κάποιοι ένα link ενός affected profile είτε το κοιτάς από μόνος σου και σου κάνει redirect σε fake site. Το κατάλαβα και, αν παρατηρήσεις, το'χω γράψει και στον Sighery. Το θέμα είναι ότι, το να δίνεις τα στοιχεία σου σε ένα fake site, ακόμη και αν γίνεται μέσω ενός legit link, είναι παμπάλαιο scamming κόλπο.
Comment has been collapsed.
Το θέμα δεν είναι το ότι δίνεις τα στοιχεία του, αλλά το ότι κάποιος μπόρεσε να κάνει inject javascripts στο Steam profile. Το γεγονός ότι δεν μπορεί να κάνει κάτι άλλο με αυτό (αυτόματα trades κλπ.) είναι λόγο κάποιον περιορισμών του Steam. Το όλο κόλπο δεν είναι ότι σε κάνει redirect σε phishing sites, αλλά το ότι σε κάνει redirect.
Νομίζω παρόμοιο ήταν και εκείνο που σε έκανε redirect σε random Steam account's και μπορούσες να δεις τα στοιχεία τους.
Comment has been collapsed.
Λένε ότι μπορεί να αγοράσει από μόνο του και πράγματα από το steam market. Και αν έχω πάθει ήδη αυτήν τη μαλακία, πώς μπορώ να το ξέρω (προφανώς θα το'ξερα ήδη αν είχαν αγοράσει πράγματα από το λογαριασμό μου); Επειδή χρησιμοποιώ το steam από browser ουκ ολίγες φορές.
Comment has been collapsed.
Επειδή είσαι ήδη συνδεδεμένος στο Steam από τον browser σου, ναι θεωρητικά θα μπορούσε να αγοράσει από μόνο του (αν σου έκανε inject το script). Ρεαλιστικά μιλώντας, δεν ξέρω κατά πόσο αυτό γίνεται. Θα έλεγα εξαρτάται από τις ικανότητες του coder.
Θα σε συμβούλευα απλά να μην κάνεις browsing και να κάνεις Logout από το Browser σου, για κάθε ενδεχόμενο.
Comment has been collapsed.
Έκανα disconnect το steam από τον browser. Απλά, όπως είπα, πώς μπορώ να ξέρω ότι δε με έχει επηρεάσει; Αν το διορθώσουνε το πρόβλημα, ακόμα και αν είχα επηρεαστεί, θα είμαι πια ασφαλής;
Comment has been collapsed.
Επειδή δεν ξέρω πολλά από coding, δεν μπορώ να σου απαντήσω στο πως μπορείς να είσαι σίγουρος ότι δεν επηρεάστηκες. Αν το διορθώσουν, λογικά θα είσαι ασφαλής πια. Αλλά όπως είπα, δεν γνωρίζω.
Comment has been collapsed.
Viewing your own profile should be fine from what I get from it.
Just don't go anywhere else. Avoid checking groups as well.
But I guess they're being too vague. They're making it sound like you could even infect a profile yourself, with a comment or so. Or like a game store page with a review. In that case if you have a public comment section not even your profile would be safe.
So unless there is more info about it I would avoid everything. :p
Comment has been collapsed.
So, just don't do anything on browser related to steam, only through steam app?
Comment has been collapsed.
It depends. I don't know what's wrong atm, but if your comment wall is set to private your profile is probably safe
Comment has been collapsed.
Some explanation from a comment in the thread:
With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:
Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.
Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.
Manipulate elements on the page as they see fit.Also
A user can still insert remote CSS to make their profile appear to be something it's not - like a Valve employee profile, or a Mod profile, etc.Comment has been collapsed.
Sooooo? :/ It's just about giving your info on a fake site identical to steam?
Comment has been collapsed.
No, also scripting it sounds like. So they insert javascript code in the page that you're viewing, and it acts like you in the browser to do stuff in the market, like buying items.
Comment has been collapsed.
Oh, so even if you don't give your info, it's enough to get affected? :O Damn. :(
Comment has been collapsed.
As far as i know, if you have opened one infected tab, and you open, lets say bank account website in other tab and login, you can read login in password from other tabs... Javascript blocker for life.
Comment has been collapsed.
NO.
What this is about is calling URLs from a Tab in the same domain. means from steamcommunity.com/profile/XXX you can call steamcommunity.com/market/buyOverpricedItem and for steam its the same as if you would have bought the item yourself.
You can NOT influence or read other tabs (only if both are manipulated) and you can not do Cross-Domain stuff (not calling store.steampowered from steamcommunity).
Comment has been collapsed.
I've just installed to see what this no script blocker thing was for and it looked like in the picture. Nothing new, my phone was always blocking those and now I'm in a pc browser which websites don't work properly in it. Don't know how to set up it though.
Comment has been collapsed.
You should have white bar at bottom. You press setttings and something like "dont block steamgifts.com"
You can do the same for domains you feel secure.
On other hand you will see how many websites use scripts from external domains...
Comment has been collapsed.
So, it doesn't matter if I click on a link? The problem is when I check steam profiles with implemented javascript codes? So, nothing will happen if I check out "healthy" steam profiles or groups and, especially, nothing will happen if steam on browser won't ask me my name and password? I mean, this trick only works to get your info by joining a fake site identical to steam and giving them your name and password? And it only works on browsers?
Comment has been collapsed.
You'll never know if a profile is healthy and no, it's not only the fake site thing (that's called phishing)
it could modify what do you see, like adding a legit "steam member" badge on a random user, or buy something on the market
Comment has been collapsed.
And the last thing is the mosty scary. o.O Damn, I hope I didn't get harmed. ;_;
Comment has been collapsed.
I read everything and I can understand now, but if I can't assume that any profile is healthy, then how can I know that I'm not affected already, since I'm usually using steam on browser?
EDIT: I read your edit. This only works when having a browser window (with steam obviously) open or no matter what (as long as you visited an affected profile at some point obviously)?
Comment has been collapsed.
Btw, a guy added me yesterday, telling me to avoid a guy named (can't say the name here) because he scammed him. I checked him out on my steam APP (not from browser), by searching his name on steam community. Then, I copied-pasted his profile link on steamrep and saw that he is already banned there, so I told the other guy he's already marked as a scammer. Then he told me he didn't know it, he wrote me a troll text that he had in his steam description, then deleted me. Should I be worried? You can't possibly know if he wanted to affect my profile, but did I do anything that would put me in harm's way? And finally, when this thing get fixed, even if I got affected, should I still be worried? I disconnected steam from my browser, btw. These are my final questions, so don't hate me. :B Thanks a lot for your help.
Comment has been collapsed.
This exploit happens in activity feed too, so it may be a good idea to not open the activity feed until this is fixed.
Comment has been collapsed.
update:
Valve have disabled Guide Showcases which means noone else can attempt this exploit. Now we just wait for them to clean up the profiles that have already abused this.
Comment has been collapsed.
Ouch make me feel worried... :/
Anyway thank you for the info
Comment has been collapsed.
Yeah how the bloody hell you can be sure you are not infected? :/
Comment has been collapsed.
Yep
Steam will put an end to it and quickly i hope.
Comment has been collapsed.
Change your password and stay away from the steam community and you should be fine. I almost got fucked over already by someone my boyfriend knows >.>
Comment has been collapsed.
But but i want to annoy my steam friends. :x
You know like give them 10 notifications. :p
Comment has been collapsed.
You can still annoy them, just dont visit any page.
I have 6 unread messages so I will assume that was you :P Gonna read it when I am home in an hour ;)
Comment has been collapsed.
After yesterday I dont believe you for a second ;)
Comment has been collapsed.
Would a logout from the Browser help? They can't take any actions on an account if there is no account in the first place, can they?
Comment has been collapsed.
it's still safe to use any steamrelated addon on firefox/chrome? (things like enhanced steam)
Comment has been collapsed.
BUMP. Just posted it in 3 my country facebook groups. I want people to be safe.
Comment has been collapsed.
Meh, okay. What am I going to lose with that script? I assume they will fully reimburse all the loses if that script hits me, cause it's completely 100% their fault with holes in their security.
🤦♀️
Comment has been collapsed.
Another reason why we should have nuked javascript from the face of the Earth ages ago.
Comment has been collapsed.
https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/
Wow, another exploit, how unexpected
TL;DR
Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN ACTIVITY FEED (both desktop and mobile versions on all browsers).
update:
update 2:
Steam Profiles are safe to visit now.
Activity Feed might still be affected
update 3:
Fixed
Comment has been collapsed.