Author Topic: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.  (Read 93 times)

0 Members and 1 Guest are viewing this topic.

Offline HideoKojima

  • *****
  • Windows User
    View More Badges!

  • Posts: 1469
  • Respect: +489
http://www.steamgifts.com/discussion/JEj3o/psa-do-not-click-steam-profile-links-security-flaw-just-exposed

"Just a major heads up, but there's a huge security flaw that was just exposed, allowing people to execute code on profiles. So far I've only seen one profile that can do this, but it can comment for you, it can load iframes, and it can play youtube videos. It will fuck up your notifications.

DO NOT LINK THESE PROFILES IN THE FORUMS, IN CHAT, OR ANYWHERE."


Thought you all should know. Especially since a few of our members fell for something similar awhile back.


"I mean, do not visit any Steam profiles whatsoever. Steamgifts site is not affected. But any links that lead to a steam profile, are unsafe at the current moment in time."


tldr; Don't go to any of your friends profiles on steam. (And maybe your own? idk)
« Last Edit: March 07, 2015, 11:02:00 AM by HideoKojima »
*Insert witty comment here*


Offline HideoKojima

  • *****
  • Windows User
    View More Badges!

  • Posts: 1469
  • Respect: +489
Update: Apparently it's been fixed.
https://twitter.com/SteamDB

Still. I'd maybe avoid profiles for a couple more hours just in case. (That's more of my thought cause I'm paranoid. lol)
*Insert witty comment here*


Offline coolzeldad

  • ******
  • OwnerDonatorOld Forum MemberrNd DeveloperLinux UserWindows UserDog LoverLeague PlayerDWO Player
    View More Badges!

  • Posts: 3333
  • I eat ddos for breakfast OMNOMONOM
  • Respect: +2711
    • .:`=-~rANdOm~`-=:. Game Servers
Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
« Reply #2 on: March 07, 2015, 12:38:06 PM »
0
lol, the real problem was un-escaped input in certain fields... pwnt :s

the offending fields are now escaped apparently, but who knows if it'll happen again (some web ui coder at valve falls asleep before remembering to sanitize the input fields)
 ▲
▲▲Big thanks to Marie for this awesome sprite! :3

Spoiler: Moar Imagez (click to show/hide)
pingaz
Thanks Cryptokid!

Thanks gamefreak!


-- My youtube: http://www.youtube.com/coolzeldad
-- My deviantart: http://coolzeldad.deviantart.com
-- My soundcloud: http://www.soundcloud.com/coolzeldad
-- My ustream: http://www.ustream.tv/channel/coolzeldapingaz
-- My twitchtv: http://www.twitch.tv/coolzeldad

-- rNd Wiki: http://wiki.randomgs.com
-- rNd Youtube: http://www.youtube.com/RandomgsProductions
-- rNd Steam Group: http://steamcommunity.com/groups/r_A_N_d_O_m

Spoiler: rNd Typography (click to show/hide)





Every time you download Garry's Mod illegally, Garry makes a bug.

When people ask me "Plz" because its shorter than "Please" I feel perfectly justified to answer "No" because its shorter than "Yes".

derp herp lerp perp kerp serp zerp - say faiv timez fazt


Offline Lazord

  • ***
  • Windows UserDog Lover
    View More Badges!

  • Posts: 113
  • Gender: Male
  • I'm nobody! Who are you? Are you nobody, too?
  • Respect: +60
Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
« Reply #3 on: March 07, 2015, 12:52:07 PM »
0
oshit is this why random people have been adding me everyday

Offline HideoKojima

  • *****
  • Windows User
    View More Badges!

  • Posts: 1469
  • Respect: +489
Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
« Reply #4 on: March 07, 2015, 03:52:53 PM »
0
lol, the real problem was un-escaped input in certain fields... pwnt :s

the offending fields are now escaped apparently, but who knows if it'll happen again (some web ui coder at valve falls asleep before remembering to sanitize the input fields)

I have no idea what you just said.


oshit is this why random people have been adding me everyday


Like constantly? Or every once in awhile.

Also you play CSGO, so it could be just people trying to scam you for your weapons and shit.
*Insert witty comment here*


Offline Frank

  • Cunt Destroyer
  • ******
  • Windows UserOld Forum MemberDog LoverCat LoverDonator
    View More Badges!

  • Posts: 2977
  • Respect: +728
Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
« Reply #5 on: March 07, 2015, 04:20:37 PM »
0
This is some spooky shit.

Offline Lazord

  • ***
  • Windows UserDog Lover
    View More Badges!

  • Posts: 113
  • Gender: Male
  • I'm nobody! Who are you? Are you nobody, too?
  • Respect: +60
Re: [PSA] Do not click Steam Profile Links - Security Flaw Just Exposed.
« Reply #6 on: March 08, 2015, 12:54:40 AM »
0

Like constantly? Or every once in awhile.

Also you play CSGO, so it could be just people trying to scam you for your weapons and shit.

I got like 3 friend requests each day until it finally died down like 2 days ago.