Valve quickly fixed a Steam profile XSS exploit that could have let attackers redirect people to other web pages, fraudulently use Steam Market funds, and change aspects of the page at will. The problem was revealed on Reddit, and just eight hours later, another Reddit post confirmed that it was fixed.
Here's an excerpt of the original warning from Reddit user "R3TR1X":
Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.
Moderator "DirtDiglett" followed up to say:
With the right know-how a malicious user could do these actions for example, and you only need to view a Steam Profile:Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page. Seems legit right? Pop in your info. You didn't click anything suss so it's no big deal.Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.Manipulate elements on the page as they see fit.
Valve did not respond to multiple requests for more information about the exploit. Yet R3TR1X posted another thread confirming that the issue has been fixed just eight hours after the first disclosure. They also shared more details about the exploit, given that it could no longer be taken advantage of:
The "My Guides showcase" (multi-guide showcase) parsed scripts placed in guides' Title section. You could inject code via putting such guides up on your showcase. Favorite Guide was NOT vulnerable, only multi-guide showcase was. Repro steps:Your profile must be at least Level 10 (to access My Guide Showcase)Create a Guide and put your script/payload in Title (-> Enter the title for your guide)Publish the Guide & Feature it on your profile Guide Showcase
Steam is a good target for attackers. Many people have their credit cards attached to the service--it is a popular games marketplace, after all--and might not think twice about entering their login credentials if they're redirected to a phishing site. Phishers have recreated Netflix sign-in pages to steal information; why not go after other entertainment services? It might also be tempting to waste someone's money after a heated discussion or match.
Valve is no stranger to XSS exploits. Others were revealed in 2011, 2014, and 2016. They became so common that the folks at SteamDB, which has no official affiliation with Valve or Steam but offers lots of information about the service, vowed in 2015 to immediately warn people about new exploits. SteamDB recognized that it's a tough problem--it's "very hard to completely avoid XSS issues," it said--yet still noted that something must be done.
Now it seems like Valve's security team is no longer messing around. Anyone who discovers similar problems with Steam can let Valve know using the information on this page. The company might not always fix the problem within eight hours, but considering how long other companies take to address security vulnerabilities, Valve's quick response to this exploit is nothing short of astounding.
