A Nasty Steam Profile Exploit Discovered By Researcher: What Users Need To Know About The Cross-Site Scripting Vulnerability

A nasty Steam Profile exploit was discovered by researcher @cra0kalo. Find out what the XSS exploit does and what users should do to protect themselves.
A nasty Steam Profile exploit was discovered by researcher @cra0kalo. Find out what the XSS exploit does and what users should do to protect themselves. Steam

A nasty Steam Profile exploit was discovered by researcher @cra0kalo. Find out what the XSS exploit does and what users should do to protect themselves.

-
- Twitter

A serious Cross Site Scripting (XSS) exploit has been discovered in the Steam multiplayer gaming platform. According to security researcher @cra0kalo, if leveraged the exploit can pull off some pretty nasty stunts.

In an announcement on Twitter, the researcher shared that he had discovered an XSS vulnerability that would allow attackers to build an exploit which can take over a Steam profile. Once the profile is infected, it can do a number of malicious things to victims who simply view the profile.

The researcher provided a proof-of-concept exploit used on a Steam profile. Users who click on @cra0kalo’s poisoned profile will find a Windows executable starts downloading on their device. While @cra0kalo’s model is harmless as the file it downloads is not malicious, it is meant to show the what kind of access an attacker can get to a victim’s device.

The vulnerability is serious enough that R3TR1X, a moderator of the Steam subreddit, made an announcement to subscribers, warning of the dangers of visiting Steam profiles until the issue is resolved.

According to the post, any user viewing or simply opening a Steam profile page is at risk of having personal details phished, being redirected to malicious websites or having malicious script run on their devices. The post goes so far as to say there have even been reports of attacks being possible from simply viewing ones own activity feed. Until the problem is resolved, the mod warns against visiting any Steam profile pages unless you are absolutely certain the link is legitimate. In addition, Steam users are advised to disable Javascript in their browsers entirely. The exploit appears to affect both desktop and mobile browsers including the Steam and Chrome browsers, so users need to exercise extreme caution while the exploit is unpatched.

In a separate post, another Steam subreddit mod, DirtDiglett shared with users several examples of things the Steam exploit can do to victims who simply view an infected profile – no clicking on anything necessary.

  • Redirect you to any non-steam page, for example, a phishing login page.
  • Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn't even need to confirm anything as you're on a valid login session.
  • Manipulate elements on the page as they see fit.
  • Perform any action AS YOU with your active login session.

The risk appears serious enough that the Steam trading subreddit, /r/GlobalOffensiveTrade, has actually taken itself offline until the issue is resolved.

-
- Reddit

All of the information about the vulnerability has been submitted to Valve, the creators of Steam and the researcher is currently waiting to hear from the company to see when a fix might become available. We reached out to Valve ourselves concerning the XSS vulnerability, but have yet to receive any response. As more information becomes available about the Steam profile exploit, we’ll be sure to update this post. Until that time, all Steam users should exercise extreme caution when using the site and avoid visiting user profiles at all costs.

Join the Discussion
Top Stories