By Anni Simpson on February 9, 2017 at 1:59pm
Tuesday, Steam suffered a glaring security exploit in which user risked losing their personal information by looking at other users' profiles or by looking at their activity feed. The method of exploitation was unusually simple - inject Javascript code into your own level 10+ profile.
Reddit user R3TR1X originally reported the information to the Steam subreddit as an ongoing effort to catalogue the problem, how to avoid it, and consequences for exploiting it oneself (spoiler: banhammer).
According to Jeremiah Grossman, chief of security strategy at security firm SentinelOne, it is possible that the exploit could be viral and automatically replicate itself every time someone unknowingly clicks an infected profile; from there, they also become a host to the infection, and it spreads. The implications of the bug are pretty far reaching. Redditor DirtDiglett pointed out that SteamGuard does not protect Marketplace purchases if you're making a purchase (but is required if you're selling).
Users who may have been affected should immediately:
- Change their password.
- Enable SteamGuard as a second method of authentication.
- Restart your modem to change your IP address.
If you can't utilize SteamGuard for any reason, make sure to deauthorize any other users (and still change your password, of course). As an extra security measure, you can also request that Steam show you the URL its using inside the browser. This helps verify the URL is actually the one you want to be using.
In the meantime, make sure you continue to practice basic Internet security measures:
- Use complex, difficult-to-guess passwords that you don't share with anyone.
- Avoid URLs and websites that don't look quite right (verifying the URL as the official site). Definitely don't enter login information to shady sites.
- Don't click on attachments from anywhere if you aren't expecting it and can't verify the source.
Ars Technica Reddit
