new XSS exploit discovered in STEAM, stay away from profile pages - it's now fixed

[zMeul]

source: https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/

 

 

 

why I say again? because another XSS exploit was discovered 2y ago: https://steamdb.info/forum/292/why-an-xss-exploit-on-steamcommunitycom-is-scary/

 

Quote

Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.

 

enable your two-factor auth people, and stay away from profile pages .. any profile page

 

it's good that ValvE notified users as soon as possible about the security risk

 

---

 

edit: exploit has been fixed and profile pages are now safe to browse

 

Edited February 7, 2017 by zMeul

[TAHIRMIA]

I remember when this happened a few years ago, I had just made another steam account the same day, luckily i dont save my payment info but i did get access to other peoples account!

[MadOlive]

And this is why noone should be setting password remembering on for paypal in steam or anywhere 

[Squirrel724]

Well, I guess it's a good thing I don't use Steam's social features at all.

[Guest]

8 minutes ago, MadOlive said:

And this is why noone should be setting password remembering on for paypal in steam or anywhere 

That's why there is 2 factor authentication

[MadOlive]

1 minute ago, deXxterlab97 said:

2 factor authentication doesn't help with that

Yea ik... a friend of mine got her account hacked a while back and the hacker bought 50pounds worth of csgo cases. He couldnt get them out of her account due to the 2-step but he could buy them and you wont get the damage refunded.

So never ever make steam remember your paypall password! At most your login mail adres!

[Senzelian]

10 minutes ago, deXxterlab97 said:

That's why there is 2 factor authentication

But its so annoying. I would rather get my account hacked and go through 2 weeks of trouble with steam to get it back, than having to deal with 2FA.

[Guest]

1 minute ago, Senzelian said:

But its so annoying. I would rather get my account hacked and go through 2 weeks of trouble with steam to get it back, than having to deal with 2FA.

How is it annoying? You just enter the code that was given to you and you can also save the code for this device so it doesn't prompt you anymore

[deleted_member_030719]

13 minutes ago, deXxterlab97 said:

That's why there is 2 factor authentication

2 factor doesn't completely prevent hacks, especially with PayPal's idiot phone support. I managed to hack into over a dozen of people's accounts on PayPal that had 2FA just to show them that PayPal doesn't protect your account at all.

4 minutes ago, Senzelian said:

But its so annoying. I would rather get my account hacked and go through 2 weeks of trouble with steam to get it back, than having to deal with 2FA.

You're fucking lazy, it takes less time to type the 6-digit code than it does to type in your password.

 

[Daiyus]

8 minutes ago, Senzelian said:

But its so annoying. I would rather get my account hacked and go through 2 weeks of trouble with steam to get it back, than having to deal with 2FA.

Having had my account hacked and now using two-factor authentication I have to say that you're mad!

 

Install the Steam app on your phone and whenever you try to log in somewhere new or do something that needs a two-stage process you're phone will go off with the info you need right there on the notifications screen. Damn sight easier than going through Steam customer services and resetting all my account information.

[zMeul]

5 minutes ago, Jed M said:

You're fucking lazy, it takes less time to type the 6-digit code than it does to type in your password.

unless his password is 5-digits, or less 

[deleted_member_030719]

1 minute ago, zMeul said:

unless his password is 5-digits, or less 

If he has that for a password he deserves to be hacked.

[Senzelian]

5 minutes ago, deXxterlab97 said:

How is it annoying? You just enter the code that was given to you and you can also save the code for this device so it doesn't prompt you anymore

I tried it, it didn't even work half of the time. Then there is this weird 16billion digit code which I don't even know what it does. 

 

4 minutes ago, Jed M said:

You're fucking lazy, it takes less time to type the 6-digit code than it does to type in your password.

 

No it doesnt, since I have to look at my phone first. Srsly, that wasnt even my point.

[deleted_member_030719]

1 minute ago, Senzelian said:

I tried it, it didn't even work half of the time. Then there is this weird 16billion digit code which I don't even know what it does. 

 

No it doesnt, since I have to look at my phone first. Srsly, that wasnt even my point.

You obviously don't understand what 2FA is.

[Guest]

1 minute ago, Senzelian said:

I tried it, it didn't even work half of the time. Then there is this weird 16billion digit code which I don't even know what it does. 

 

No it doesnt, since I have to look at my phone first. Srsly, that wasnt even my point.

You must have a really bad phone then. It worked flawlessly for both my previous iPhone 5s and my current Samsung S5 Neo

[TAHIRMIA]

8 minutes ago, Senzelian said:

But its so annoying. I would rather get my account hacked and go through 2 weeks of trouble with steam to get it back, than having to deal with 2FA.

 

6 minutes ago, deXxterlab97 said:

How is it annoying? You just enter the code that was given to you and you can also save the code for this device so it doesn't prompt you anymore

 

3 minutes ago, Jed M said:

You're fucking lazy, it takes less time to type the 6-digit code than it does to type in your password.

 

Sometimes I want to disable it. The app is just so annoying. They should allow us to use something like Google Auth

[Senzelian]

5 minutes ago, deXxterlab97 said:

You must have a really bad phone then. It worked flawlessly for both my previous iPhone 5s and my current Samsung S5 Neo

OP2. Schould work just fine.

5 minutes ago, Jed M said:

You obviously don't understand what 2FA is.

Yes, that must be it. Thank you.

[Suika]

Thank gooses for two-factor.

[Doobeedoo]

Heh, well good password and two-factor authentication as well as no payment info saving, all good.

Don't even browse anything on Steam really, or use any social stuff. Just preview a game if I'm interested to buy and that's it :3

[kelvindeschutter]

@zMeul this exploit has been fixed https://np.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/

[zMeul]

29 minutes ago, kelvindeschutter said:

@zMeul this exploit has been fixed https://np.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/

ty, will update the OP