NEW STEAM EXPLOIT ON INTERNET BROWSERS WARNING

eurogamer.net/articles/2017-02-07-steam-users-warned-after-profile-exploit-discovered

Share this: Facebook81 Twitter Google+ Reddit
By Tom Phillips Published 07/02/2017

Steam users have today been warned to be careful browsing Steam - an XSS exploit has been discovered which could threaten your account's security.

1
The issue's existence was made public by a mod on Steam's official Reddit, and Steamdb has also confirmed the exploit to be worth taking note of - at least until Valve wakes up and fixes it.

Steam users are warned to be careful opening any profile pages on the service, and to ignore any suspicious links.

The exploit takes advantage of Steam's XSS (cross-site scripting) code which can be exploited to let others inject their own code. Anyone with the right know-how could harness your profile to perform actions on your behalf.

Anyone who thinks they may have been affected should change their password, enable a mobile authenticator - and scan their system for malware.

Other urls found in this thread:

steamcommunity.com/id/the_randomizer1889
twitter.com/SFWRedditImages

i just want to play fucking games.

This is why digital platforms are cancerous

Not fucking surprising considering that the Steam browser is slow and fucking ancient.

PCucks BTFO once again.

Dont view other player's profiles.
Should be easy enough to avoid till they get a fix

Wait you mean not to click on this link?

steamcommunity.com/id/the_randomizer1889

My PlayStation 4™ computer entertainment system doesn't have this issue.

go trust sony with your credit card again or something

Is this why steam has been offline the past couple hours?

You can just not use any of Steam's community features and use it just as a digital storefront.

Sticky this please Mods. OP implores you to keep this information relevant

Changed my Password in the steam client and I went above and beyond to create a new email. I changed my debit/payment info and more so..

>mfw I clicked it

You should be fine as long as you have the mobile authenticator.

>make embarrassing post on steam forums, screencap it and share on Sup Forums
>Sup Forums finds out your profile and bullies you
>you get the last laugh as Sup Forums is fucked because your profile is boobytrapped with this exploit

MODS STICKY THIS

I don't think I've clicked on anyone's profile today, so I should be fine.

>tfw I have two step authentication on everything and no need to worry

Why wouldn't you?

1. First of all if you use the steam client browser (chromium) for any reason, you are a complete fucking idiot, you can not control the steam client browser it is locked down for retards, no adblock or noscript available

2. if you don't have adblock or noscript for your desktop browser and are browsing XSS sites you are a fucking idiot and deserved to be hacked.

Wait, did anyone else have to log into Steam and authenticate again this morning? Also, all my Steam settings reset. I thought it was strange. Was that just a security precaution Valve took or did I get rekt?

dont have a cell phone

>Steam's official Reddit
Uninstall.exe

>csgo.gif

LOL

Restarted steam a while ago to update siege and that didnt happen to me.

reddit cancerous community aside is the best site for keeping up with devs since they only use twitter and reddit
but hey you are probably a turboautist shitposter and I'm just easting my time talking to you so whatever

You are fucked, good knowing you.

You got rekt

You might want to stop visiting Sup Forums, playing vidya, eating food and breathing air too.

>giving valve your phone number
>giving psn/xbl your CC
>Not using prepaid cards to purchase digitally

>im poor
>im retarded
>i live in a third world country
>im a backwards-ass high school dropout beta male
>my parents hate me

jeez user say it dont spray it

>Was that just a security precaution Valve took or did I get rekt?
Yes and no.
It was me. I'm your biggest fan.

welp
>clicked it then my steam client crashed
>tries to log back in but fails
>open up keepass to put in password manually, says it's incorrect
>cool beans i guess

Memes aside, I wonder if there really was an attempt on my account and Steam guard simply prevented it and made me re-authenticate and shit.

Wonder why all my settings reset too though, it acted like a fresh Steam install.

clicking on the links here in your desktop browser will do nothing if you have noscript since it detects XSS

if you were dumb enough to browse Sup Forums on steams browser and click the links you are fucked.

>Steam's official Reddit
Jesus christ

Why would they need Reddit of all things?
How is it better than twitter/facebook/their on user forums?

whats the point of owning a cell phone, user?

Nigger you got rekt
Just wait a month or 2

>tfw WP

then use e-mail with different password, duh

So? What's the problem?

Steam isn't DRM, remember? You don't need it or your account to play your games, right?

Two-step verification lel

There is really no reason to piss away $500 plus contract fees for no real reason when I have a home PC and landline.

To keep in touch with your friends of course!
;_;

>be me
>yesterday
>click profiles
>router clogging and slow as hell suddenly
>get 'suspicious amount of traffic' notice
>cant open any webpage
>reset router over and over
>nothing opens when i click it even after restarting
>internet still slow
>come to campus today and see this
>mfw

passwords C H A N G E D

Nah, I've never lost an account in my life except my World of Warcraft one ten years ago, and that was only because I let my friend borrow it. Already quit the game anyway, otherwise I probably would have worked harder to get it back.

And this Steam account predates even that account.

to call mummy to see what time she's getting home so you can eat din din

I've no idea honestly

kek, people unironically stay in contact with their """"friends""""?

Can someone explain it for a lazy retard please? What does this mean if I don't use the browser in steam nor click on random faggot's profiles? I just changed my password for the hell of it.

>never check profiles because no friends
>fight against a really good player yesterday
>curious how many hours he has put into the game
>search his name
>10,000 results
>start clicking down the line

Fuck's sake

...

Do people realize phone authentication for steam for a while now ?

I you've been on the steam main page in the last 36 hours, you're fucked
Doesn't matter which browser

I think it was bothersome for everyone and everyone welcomed the chaotic facebook feed.
I would honestly stop using a phone if it wasn't a huge red flag on the CVs.
Just use the fucking e-mails.

not that guy but what's the point of a smartphone? My phone is some 15 year old Nokia and it does what it's supposed to, text and call
Smartphone users should just KYS, would make the world a better place

They've actually made an official one now

Steamguard without phone authentication has also existed for a long time, normie

how do you do it without a phone?

Steam Store is fine, its the user editable profiles that arent

>KYS
Are you twelve?

>using javascript botnet
>not using noscript

Wew lad I thought you were smarter than this Sup Forums

Oh wait.

Why the fuck did do it and continue when even because though it was fucked?"

You're either my grandmother or a contrarian if you don't see the benefit of having a small computer with constant internet access with you all the time.
Of course if you don't leave your room it may seem like a toy. Still doesn't make you less wrong.

I do SSH to my client's servers, Browse the web including 4chins, watch some youtube and chat.

Not sure if you're fucking around or what? The reddit post suggests it's strictly a chance from looking at the feed shite or profiles which I do neither of. If the store were fucked everyone would be.

E-mail with the security code if someone logs in from a new IP
Back to Plebbit you go

This happens to me occasionally too. I don't know why it happens but it's just a minor annoyance. I don't think I've had my account stolen considering how I never got a notification about some other IP trying to access my account.

People got around for thousands of years without having to have constant internet access. Treat your addiction, Millennial.

Wew, I though they would never do that, because WP is not that popular.

I think it's happened to me once before. but I've been on Steam for twelve years so quite a coincidence that this happened when this supposed security problem did.

Oh I thought you meant something else. I've been doing the email thing for years.

Okay, you're baiting.

>tfw i dont care anymore

>Not blocking XSS requests
I guess it could still work in the Steam client? Then again, fuck the whole community bullshit of Steam, just play the fucking games.

>using 90s internet
>ads everywhere
>never had an Anti-virus scanner
>scan PC in 2000s, i had 500+ viruses, trojans, keyloggers etc.

no personal details were stolen because back then modern social media sites didn't exist and everyone relied on alias, everyone knew to not input personal information of any kind

and that still blows my mind

This is some low quality trolling right here.

oh nooo people will steal my account that i never use with a total of 6 games

Does anyone actually use the steam browser? It feels like fucking using a browser from 12 years ago with none of the improvements or features since then
If I want to open a link a friend sends me, I'd rather fucking alt+tab out of the game to open it in my proper browser than opening it in the steam browser

>using the steam browser ever
>not having noscript and umatrix have your back
>looking at other people's steam profiles
>not using 2-step authentification
>saving passwords on your pc or using password managers instead of memorizing them
>giving steam, psn, xbl and payment info
you deserve every bit of trouble coming your way

> fuck the whole community bullshit of Steam
true, the only thing worth a damn is the community market and workshop

fucking THIS

The amount of people i see freely giving away their personal data just because it ask them to is seriously fucked.

It's okay when a game refuses to alt+tab and I quickly need to look something up.
Otherwise, no. It's terrible.

people have been complaining to fat shit gabe to fix the browser since 2009 and even prior to that.

Most of Steam is displayed in the browser.

Can I have it? :^)

perhaps Valve should implement Webkit into Steam or something.

>everyone knew to not input personal information of any kind
Social Media is so fucking stupid
I sometimes read youtube comments (it's a guilty pleasure shut up) and there's fucking 11 year old kids throwing tantrums or having stupid arguments, and they all have their real name attached to their account

Yeah, I use it almost every time I start Steam in fact.

Oh right, that's another thing
One time, a friend offhandedly mentioned something about the store interface or somesuch, and I realized he's actually using the fucking steam browser to look at sales
The only thing I ever look at is my library, all the looking at profiles or buying games I do in a real browser

>you made a comment using your real name in 2003 on some derelict website
>manage to contact someone in charge and they take down the WHOLE website
what have I done

but what about my stteam bf

God's work, user. Purge the filth.

They already have.

They used to use IE.

I don't get it
so if I just use my account to only play games and not erp with homos or furfags as usual I'm unaffected?

Shit works off nearly every steam page btw. Your activity feed, boards, even fucking reviews.

Just stay the fuck off steam until it's fixed.

basically, remove all russians from your friends list.

>tfw recently remember i had a myspace full of cringey shit, using my real name
>tfw my avatar was starscream from the bayformers
>tfw i had a three days grace backround
>tfw i had pics of me in a fedora

ive never been so driven to eradicate something so quickly as i was then

I use it to look up shit about games that am playing, especially trivia about things I've done on repeat playthroughs of a game.

Gabe, if you haven't already, STOP STUFFING YOUR FACE AND FIX THIS