I don't see libwebp mentioned in the app's acknowledgements, so I'd just avoid using the Steam overlay's built-in web browser.

Steam doesn't support the webp as far as I know, it's a newer format and Valve hasn't really increased/improved their graphics support for nearly as long as Steam has existed. It's been a constant source of complaints for people who want to host all sorts of new/modern/large graphics.

As far as I know Steam's graphics support is kinda of like it's still 2003.

even without this, make this your mantra until next years CEF update:
"do not open non-Steam urls within Steam".

and since you cannot upload that format to Steam, this should be unproblematic ... well, besides workshop content and then it depends on the game how bad this will end.

thanks all..to confirm, steam has never supported webps in chat, workshop images, profile images or profile backgrounds? It's just viewing a website with a malicious webp with the browser? This is a massive vulnerability still can't believe they're not patching it.

Originally posted by wuddih:

even without this, make this your mantra until next years CEF update:
"do not open non-Steam urls within Steam".

and since you cannot upload that format to Steam, this should be unproblematic ... well, besides workshop content and then it depends on the game how bad this will end.

Yup. And with vulns like these, we're just fortunate that this didn't affect a format people can use in chat windows or in community content.

I just never use the steam in-game browser at all. They don't update it as quickly as dedicated browser vendors do, it's been caught out of date with pants down before.

Originally posted by captainducko:

thanks all..to confirm, steam has never supported webps in chat, workshop images, profile images or profile backgrounds? It's just viewing a website with a malicious webp with the browser? This is a massive vulnerability still can't believe they're not patching it.

There was a related bug that affected Dota 2 quite dangerously. It took them over a year to patch it. That vuln actually allowed arbitrary remote code execution (full OS takeover) as I recall.

Just don't use the in-game browser for anything, that's my simple rule. They're not particularly hasty in patching it.

You're told not to click unknown links from untrusted sources anyway.

https://help.steampowered.com/en/faqs/view/6639-EB3C-EC79-FF60

Only user in-game browser for trusted sites, don't randomly follow links you're not sure of, and be aware of people messaging you links out of the blue, such as those scam sites asking you to vote for their team, or whatever bs story scammers make up.

Originally posted by Dr.Shadowds 🐉:

Only user in-game browser for trusted sites, don't randomly follow links you're not sure of, and be aware of people messaging you links out of the blue, such as those scam sites asking you to vote for their team, or whatever bs story scammers make up.

Hello

True but not anought ...

Even a trusted web site can use an advert with an infected webp image and you do not need to click it to let the code embedded inside the malicious picture been executed on your pc.
The best solution is ; do not use the build-in browser.

Originally posted by bidulless:

Originally posted by Dr.Shadowds 🐉:

Only user in-game browser for trusted sites, don't randomly follow links you're not sure of, and be aware of people messaging you links out of the blue, such as those scam sites asking you to vote for their team, or whatever bs story scammers make up.

Hello

True but not anought ...

Even a trusted web site can use an advert with an infected webp image and you do not need to click it to let the code embedded inside the malicious picture been executed on your pc.
The best solution is ; do not use the build-in browser.

There not whole lot to go from there it's something have to be aware of, even normal browser can have vulnerabilities which why it's important to ALWAYS update, and advice like "don't use because of risk" not gonna fly if someone want to use a browser may it be normal, or embedded browser to access the internet to get info, or other things online.

Use at your own risk, and most often reason someone may use in-game browser would be to check for info such as youtube, game forums, game wiki, or etc. Also it's not idea to use any personal banking, amazon order, and such via in-game browser as they're often outdated.

Another thing to note is when there custom browser, you check what it has, if it self-contained to not allowing access to what outside of it, and if it affected by said kind of vulnerabilities, as some requires certain things to be there in order to work, hence example when google, edge, and such had to panic to update their browser multiple times in the year due to said zero day vulnerability, Steam didn't had to because it didn't affect them due to lacking the things it need enable, or missing them, or unable to execute action due to restrictions. But since it old thing it still use at your own risk.


I would say to someone don't use "embedded browser" if they're unable to think for themselves, or need supervision that meant they need someone to monitor them.

Originally posted by Dr.Shadowds 🐉:

Originally posted by bidulless:

Hello

True but not anought ...

Even a trusted web site can use an advert with an infected webp image and you do not need to click it to let the code embedded inside the malicious picture been executed on your pc.
The best solution is ; do not use the build-in browser.

There not whole lot to go from there it's something have to be aware of, even normal browser can have vulnerabilities which why it's important to ALWAYS update, and advice like "don't use because of risk" not gonna fly if someone want to use a browser may it be normal, or embedded browser to access the internet to get info, or other things online.

Use at your own risk, and most often reason someone may use in-game browser would be to check for info such as youtube, game forums, game wiki, or etc. Also it's not idea to use any personal banking, amazon order, and such via in-game browser as they're often outdated.

Another thing to note is when there custom browser, you check what it has, if it self-contained to not allowing access to what outside of it, and if it affected by said kind of vulnerabilities, as some requires certain things to be there in order to work, hence example when google, edge, and such had to panic to update their browser multiple times in the year due to said zero day vulnerability, Steam didn't had to because it didn't affect them due to lacking the things it need enable, or missing them, or unable to execute action due to restrictions. But since it old thing it still use at your own risk.


I would say to someone don't use "embedded browser" if they're unable to think for themselves, or need supervision that meant they need someone to monitor them.

Hello

It has the same capabilitity, displaying webp picture, parsing and executing java script and it's based on a barebone old version of cef from 2020 without any security fixe apply since the day one of cef 85....
So at least we are agree on that : do not use the build-in browser.
if you want to verify what i say just open it and go to https://browserleaks.com/
i sincerely hope steam will upgrade the cef to v118+ after january...
omwb to my old steam client.

Originally posted by bidulless:

Originally posted by Dr.Shadowds 🐉:

There not whole lot to go from there it's something have to be aware of, even normal browser can have vulnerabilities which why it's important to ALWAYS update, and advice like "don't use because of risk" not gonna fly if someone want to use a browser may it be normal, or embedded browser to access the internet to get info, or other things online.

Use at your own risk, and most often reason someone may use in-game browser would be to check for info such as youtube, game forums, game wiki, or etc. Also it's not idea to use any personal banking, amazon order, and such via in-game browser as they're often outdated.

Another thing to note is when there custom browser, you check what it has, if it self-contained to not allowing access to what outside of it, and if it affected by said kind of vulnerabilities, as some requires certain things to be there in order to work, hence example when google, edge, and such had to panic to update their browser multiple times in the year due to said zero day vulnerability, Steam didn't had to because it didn't affect them due to lacking the things it need enable, or missing them, or unable to execute action due to restrictions. But since it old thing it still use at your own risk.


I would say to someone don't use "embedded browser" if they're unable to think for themselves, or need supervision that meant they need someone to monitor them.

Hello

It has the same capabilitity, displaying webp picture, parsing and executing java script and it's based on a barebone old version of cef from 2020 without any security fixe apply since the day one of cef 85....
So at least we are agree on that : do not use the build-in browser.
if you want to verify what i say just open it and go to https://browserleaks.com/
i sincerely hope steam will upgrade the cef to v118+ after january...
omwb to my old steam client.

He's saying the browser is self contained in Steam unlike other browsers that don't sandbox.

This makes anything that happens in the browser stay within Steam and not spread outside of the client.

Originally posted by SlowMango:

Originally posted by bidulless:

Hello

It has the same capabilitity, displaying webp picture, parsing and executing java script and it's based on a barebone old version of cef from 2020 without any security fixe apply since the day one of cef 85....
So at least we are agree on that : do not use the build-in browser.
if you want to verify what i say just open it and go to https://browserleaks.com/
i sincerely hope steam will upgrade the cef to v118+ after january...
omwb to my old steam client.

He's saying the browser is self contained in Steam unlike other browsers that don't sandbox.

This makes anything that happens in the browser stay within Steam and not spread outside of the client.

Hello

Yes it's sandboxed but it does not change the problem.. even cef have allready patched this vulnerability, so guess why ? it's sanboxed like all browser that allready patched it ....

Originally posted by bidulless:

Originally posted by SlowMango:

He's saying the browser is self contained in Steam unlike other browsers that don't sandbox.

This makes anything that happens in the browser stay within Steam and not spread outside of the client.

Hello

Yes it's sandboxed but it does not change the problem.. even cef have allready patched this vulnerability, so guess why ? it's sanboxed like all browser that allready patched it ....

Not every browser based on CEF is sandboxed.

Originally posted by SlowMango:

Originally posted by bidulless:

Hello

Yes it's sandboxed but it does not change the problem.. even cef have allready patched this vulnerability, so guess why ? it's sanboxed like all browser that allready patched it ....

Not every browser based on CEF is sandboxed.

hello

Wich one ?
chrome, brave, edge are sandboxing chromium xd