Skip to main content
If you click on a link and make a purchase we may receive a small commission. Read our editorial policy.

Warning whistle: beware a possible Steam security hole

Just in case

Update: The exploit which let subversive Steamers inject code into Steam pages has been fixed. The eagle-eyes who spotted the security hole say it's once again safe to visit profiles, activity feeds, and all that. If you're curious, follow that link to discover quite how the exploit worked. Spoiler: it involved putting naughty code in the titles of guides.

Just be to safe, don't go near any of Steam's social pages for a bit. A group from the Steam subreddit say they have discovered an exploit related to Steam profiles, which could do some dreadful things. Even looking at your Activity feed could let people redirect you to non-Steam sites or even silently buy Community Market items with your Wallet funds. Valve haven't commented on this yet but, for now, probably best to be safe. What's the harm in not peeping on your pals for a while?

The issue is raised by several moderators of the Steam group on Reddit, which is unofficial but is broadly respectable enough that this would be a curious prank for them to pull. If this isn't some ha-ha-hilarious boner, then Steam may be suffering from a security hole which would let scoundrels mess with you from within Steam. 'R3TR1X' says:

"Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including Steam). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) Steam profile links and disable JavaScript on browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience."

Fellow subreddit moderator 'DirtDiglett', who says they're a web developer, adds:

With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:

  • Redirect you to any non-Steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.
  • Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.
  • Manipulate elements on the page as they see fit.

That would be bad! Valve should start waking up any time now so I hope we'll hear more soon. Even if this is nothing, better safe than sorry?

Read this next