Announcement

Collapse
No announcement yet.

Steam Profiles Are Once Again Safe to Visit

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Steam Profiles Are Once Again Safe to Visit

    Earlier today, a warning came by telling users not to visit any Steam profile or even their own Activity Feed within Steam. This was actually a major security issue with how the "My Guides Showcase" parsed scripts that were placed within the title of guides.

    This allowed for code to be injected into anybody that put these malicious guides into their Showcase. This then made visiting affected profiles a security risk along with the Activity Feed that displayed these guides that friends added to their own Showcases.

    Valve has since fixed this exploit. An explanation of how the code worked was provided on Reddit.
    The "My Guides showcase" (multi-guide showcase) parsed scripts placed in guides' Title section. You could inject code via putting such guides up on your showcase. Favorite Guide was NOT vulnerable, only multi-guide showcase was. Repro steps:

    1) Your profile must be at least Level 10 (to access My Guide Showcase)
    2) Create a Guide and put your script/payload in Title (-> Enter the title for your guide)
    3) Publish the Guide & Feature it on your profile Guide Showcase

    An example piece of code was provided in the explanation.

    Code:
    <script>document.getElementsByClassName("xp")[0].innerHTML="+REDDIT Moderator"</script>
    This would result in something like this showing up on a user's profile.


    This is, of course, one of the more tame things that could have been done. The initial warning suggested that the exploit could have been used to discreetly redirect you to any non-Steam page, such as a legitimate looking fake login page. These malicious scripts could have also used funds in your Steam Wallet to quietly purchase any item that the person wanted.
Working...
X