Nizx28 Feb 7, 2017 @ 5:48am
What's up with the new steam profile exploit issue ?
javascript can written through guide ? so you can steal information ? what?
< >
Showing 1-15 of 15 comments
Nizx28 Feb 7, 2017 @ 5:51am 
i see, thank you
Basically, some people "rigged" their profile in steam to be a "phising" site, so if you access it, you get infected

Best way to deal with this is to NOT go into the profile of people you don't know, and to not accept any untrusted friend invites for the mean time

I highly suggest to use VPN when you're looking into people's profiles, just to be safe
Last edited by Just like Dragon Age!; Feb 7, 2017 @ 5:53am
Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.
Anyone (with knowledge of the exploit) who uses or abuses it FOR ANY REASON will RISK RECEIVING A COMMUNITY BAN. If you find any such profile that you can't report (as in literally cannot use the report button), please PM them to me.
Keep in mind that any discussion on any exploit method is NOT allowed here and will result in a ban without warning. This post is intentionally vague, and will be kept that way due to the nature of this exploit.
And to make it VERY clear: do NOT post profile links on this sub (temporarily), do NOT post proof of concepts (we have the repro steps and passed them on), do NOT post anything relevant that might provide information on how to do this exploit (incl. youtube links). This post is your warning.
TO THOSE POSSIBLY AFFECTED:
Change your Steam Account password, enable Mobile Authenticator if it's not on already (otherwise deauthorize Steam Guard on all systems from settings) then restart your modem/change IP. You might want to also consider scanning your system with a malware scanner/anti-virus.

I'm a web developer, and have investigated and created proofs of concept for this exploit.
With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:
Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.
Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.
Manipulate elements on the page as they see fit.
PLEASE Ensure that you are triple-checking the website URL before doing anything with your sensitive information.

Go into your Steam Settings and enable "Display Steam URL Address Bar When Available", and triple-check. Also try to avoid viewing profiles of anybody you're unfamiliar with.

I've forwarded my proofs of concept to Valve Security and they should be actioning this very rapidly.

Something i found
ErickaUnlimited Feb 7, 2017 @ 6:03am 
It's a bit more complicated than that. Viewing a profile isnlt going to get you outright hijacked. That's just not possible. What they're referring to is people rescripting their profile to redirect you to a fake Steam website, hoping you log in, ultimately sending your login info to them.

As always, just check the URL before logging into Steam if you're using the browser veraion of Steam. If you're on the actual APP then it's really easy to catch the phising site.
Last edited by ErickaUnlimited; Feb 7, 2017 @ 6:03am
Tronex Feb 7, 2017 @ 6:34am 
Originally posted by 💔💔ErickaUnlimited💔💔:
It's a bit more complicated than that. Viewing a profile isnlt going to get you outright hijacked. That's just not possible. What they're referring to is people rescripting their profile to redirect you to a fake Steam website, hoping you log in, ultimately sending your login info to them.

As always, just check the URL before logging into Steam if you're using the browser veraion of Steam. If you're on the actual APP then it's really easy to catch the phising site.
Non-experienced internet users (which are the huge part of steam users) will fall easily for it.
Nizx28 Feb 7, 2017 @ 6:36am 
i made some artwork with some code included (too make it bigger) and put music through guide (also has code in it), will it get me a community ban ?
MancSoulja Feb 7, 2017 @ 6:52am 
Basically people have found a way to insert java code into their profiles, this code is executing when anyone visits their profile and can have a number a nasty effects like redirecting you to malicious websites.
Last edited by MancSoulja; Feb 7, 2017 @ 6:53am
MancSoulja Feb 7, 2017 @ 6:53am 
Originally posted by Mysterio:
i made some artwork with some code included (too make it bigger) and put music through guide (also has code in it), will it get me a community ban ?

Yes, very much so.
Nizx28 Feb 7, 2017 @ 7:00am 
oh crap ;o but thank you for that info man
Turtle God Feb 7, 2017 @ 7:00am 
Originally posted by Mysterio:
oh crap ;o but thank you for that info man
welp its 2 late
you used the exploit
you gonna get banned
MancSoulja Feb 7, 2017 @ 7:02am 
Originally posted by Mysterio:
oh crap ;o but thank you for that info man

The artwork showcase on your profile has already been disabled. That's a big hint that Steam has already found out >_<
Nizx28 Feb 7, 2017 @ 7:17am 
Originally posted by MancSoulja:
Originally posted by Mysterio:
oh crap ;o but thank you for that info man

The artwork showcase on your profile has already been disabled. That's a big hint that Steam has already found out >_<

no man, i changed it myself few hours ago
Nizx28 Feb 7, 2017 @ 7:18am 
Originally posted by Turtle God:
Originally posted by Mysterio:
oh crap ;o but thank you for that info man
welp its 2 late
you used the exploit
you gonna get banned

been told that i need to remove it before steam patch, i dont know man, just wait and see i guess
ReBoot Feb 7, 2017 @ 7:35am 
Redirecting to a malicious web site is a boring attack vector as its easy to protect oneself. Doing stuff with the valid log in session, that's dangerous.
< >
Showing 1-15 of 15 comments
Per page: 15 30 50

Date Posted: Feb 7, 2017 @ 5:48am
Posts: 15