Warning whistle: beware a possible Steam security hole

Update: The exploit which let subversive Steamers inject code into Steam pages has been fixed. The eagle-eyes who spotted the security hole say it’s once again safe to visit profiles, activity feeds, and all that. If you’re curious, follow that link to discover quite how the exploit worked. Spoiler: it involved putting naughty code in the titles of guides.

Just be to safe, don’t go near any of Steam’s social pages for a bit. A group from the Steam subreddit say they have discovered an exploit related to Steam profiles, which could do some dreadful things. Even looking at your Activity feed could let people redirect you to non-Steam sites or even silently buy Community Market items with your Wallet funds. Valve haven’t commented on this yet but, for now, probably best to be safe. What’s the harm in not peeping on your pals for a while?

The issue is raised by several moderators of the Steam group on Reddit, which is unofficial but is broadly respectable enough that this would be a curious prank for them to pull. If this isn’t some ha-ha-hilarious boner, then Steam may be suffering from a security hole which would let scoundrels mess with you from within Steam. ‘R3TR1X’ says:

“Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including Steam). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) Steam profile links and disable JavaScript on browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.”

Fellow subreddit moderator ‘DirtDiglett’, who says they’re a web developer, adds:

With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:

  • Redirect you to any non-Steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn’t click anything suss so it’s no big deal.
  • Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn’t even need to confirm anything as you’re on a valid login session.
  • Manipulate elements on the page as they see fit.

That would be bad! Valve should start waking up any time now so I hope we’ll hear more soon. Even if this is nothing, better safe than sorry?

From this site

16 Comments

  1. thedosbox says:

    Not going to share the link, but there’s a proof-of-concept circulating on twitter – i.e. this is a real vulnerability. What’s not yet known is how vulnerable the built-in steam browser is.

    • Kefren says:

      Mine’s safe, because if I click on anything in the Steam browser other than my games list (so EULAs, friends, manuals, store) I just get an error. Phew!

  2. Catchcart says:

    If I get this right, the issue is that people can customise their profiles and apparently throw in a bit of javascript on them to manipulate a login link on that same page. Right? I don’t think I have ever logged in to Steam via other people’s profiles but maybe that’s just me being non-social. Better safe than sorry, I guess. Thanks for the heads-up.

    • thedosbox says:

      I don’t think I have ever logged in to Steam via other people’s profiles

      It’s not about logging in via another profile. It’s about code embedded in profiles being able to redirect you to a malicious site. That site could then try to trigger known vulnerabilities in your browser or plugins.

      That has possible ramifications for anyone logged into steam via their browser.

      What’s not clear at the moment is whether this is an issue for the embedded browser within the steam client (though I suspect it is).

      [edit] I see the reddit thread now states that the steam browser is also affected

    • Premium User Badge

      alphager says:

      The attacker can also force you to buy something off the community market without any interaction from you. (if you have funds in your steam wallet or a payment source that does not redirect to an external page for confirmation)

  3. TR`Ben says:

    I’ll put my Steam in offline mode for a while.
    Thanks for the warning!

  4. cardboardcity says:

    thanks for the warning. thank god I don’t have any friends.

  5. sleepisthebrotherofdeath says:

    This is not a problem for me as I have no friends.

  6. kirito says:

    Joke about not having friends lol.

  7. Premium User Badge

    phuzz says:

    I might have friends, but I don’t have any money in my steam wallet.

    • Someoldguy says:

      I didn’t even know Steam had a money wallet. I assumed that was the bin that Steam keep adding random crap to every time I buy a game, for no reason I can be bothered to understand.

  8. SepticKnuckles says:

    There’s an updated for this. Fix is meant to be in place

  9. trjp says:

    The idea of being able to sell an item without confirmation “because you’re logged-in” is wrong.

    EVERY transaction on the market has to be confirmed via the Steam Mobile App – even if you sell FROM the Steam Mobile App!!

    At least that’s true in the countries which require use of the Mobile App for authentication which is pretty much everywhere these days?

  10. Kodaemon says:

    Damnit, I’m waiting for Steam to REALLY fail so I can dance on its grave and shout “I TOLD YOU SO.” Yeah, I hate Steam and other similar systems. GOG being the sole exception since its anti-DRM stance.

    • Premium User Badge

      Rublore says:

      …You want millions of people to be horribly inconvenienced so you can stroke your ego? Wouldn’t it be nicer to hope that Steam and the other services improve to the point where they no longer offend you with their existence? Perhaps offer their developers some suggestions.