A moderator on the Steam subreddit has warned about a new cross-site scripting (XSS) vulnerability affecting profile pages on Valve’s PC marketplace.
SteamDB confirmed the existence of the vulnerability and referred readers to a two-year-old post explaining the kinds of attacks that might be launched.
SteamDB said an XSS attack may be used to sell and buy market items using your Steam Market funds, post comments, promote group members to officers, and vote on Greenlight items.
However, another subreddit mod warned that the vulnerability extends beyond Steam.
The vulnerability can reportedly be exploited to redirect you to any non-Steam page, such as a fake login page to phish your username and password.
An attacker can also manipulate elements on the page.
According to reports, viewing someone’s profile page, or your activity feed, on the desktop or mobile versions of Steam can trigger an attack.
To avoid falling victim, mods said community members must not click on profile links or any suspicious links, and disable JavaScript in their browser’s options.
If you have been affected, you must:
- Change your Steam Account password.
- Enable Mobile Authenticator.
- If the Authenticator is activated, deauthorise other computers on Steam Guard, then restart your modem.
- Scan your system with a malware scanner and anti-virus.
Loading ...
Join the conversation Autoload comments
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.