.:`=-~rANdOm~`-=:. Game Servers

.:`=-~rANdOm~`-=:. Game Servers (Read Only) => Discussion => Topic started by: HideoKojima on March 07, 2015, 10:54:08 AM

Title: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
Post by: HideoKojima on March 07, 2015, 10:54:08 AM

http://www.steamgifts.com/discussion/JEj3o/psa-do-not-click-steam-profile-links-security-flaw-just-exposed (http://www.steamgifts.com/discussion/JEj3o/psa-do-not-click-steam-profile-links-security-flaw-just-exposed)

"Just a major heads up, but there's a huge security flaw that was just exposed, allowing people to execute code on profiles. So far I've only seen one profile that can do this, but it can comment for you, it can load iframes, and it can play youtube videos. It will fuck up your notifications.

DO NOT LINK THESE PROFILES IN THE FORUMS, IN CHAT, OR ANYWHERE."


Thought you all should know. Especially since a few of our members fell for something similar awhile back.


"I mean, do not visit any Steam profiles whatsoever. Steamgifts site is not affected. But any links that lead to a steam profile, are unsafe at the current moment in time."


tldr; Don't go to any of your friends profiles on steam. (And maybe your own? idk)

Title: Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed. UPDATE.
Post by: HideoKojima on March 07, 2015, 11:10:44 AM

Update: Apparently it's been fixed.
https://twitter.com/SteamDB

Still. I'd maybe avoid profiles for a couple more hours just in case. (That's more of my thought cause I'm paranoid. lol)

Title: Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
Post by: coolzeldad on March 07, 2015, 12:38:06 PM

lol, the real problem was un-escaped input in certain fields... pwnt :s

the offending fields are now escaped apparently, but who knows if it'll happen again (some web ui coder at valve falls asleep before remembering to sanitize the input fields)

Title: Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
Post by: Lazord on March 07, 2015, 12:52:07 PM

oshit is this why random people have been adding me everyday

Title: Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
Post by: HideoKojima on March 07, 2015, 03:52:53 PM

Quote from: coolzeldad on March 07, 2015, 12:38:06 PM

lol, the real problem was un-escaped input in certain fields... pwnt :s

the offending fields are now escaped apparently, but who knows if it'll happen again (some web ui coder at valve falls asleep before remembering to sanitize the input fields)

I have no idea what you just said.

Quote from: Lazord on March 07, 2015, 12:52:07 PM

oshit is this why random people have been adding me everyday

Like constantly? Or every once in awhile.

Also you play CSGO, so it could be just people trying to scam you for your weapons and shit.

Title: Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
Post by: Frank on March 07, 2015, 04:20:37 PM

This is some spooky shit.

Title: Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
Post by: Lazord on March 08, 2015, 12:54:40 AM

Quote from: HideoKojima on March 07, 2015, 03:52:53 PM

Like constantly? Or every once in awhile.

Also you play CSGO, so it could be just people trying to scam you for your weapons and shit.

I got like 3 friend requests each day until it finally died down like 2 days ago.