Steam, an online game platform with more than 125 million active accounts, is in the process of fixing a serious security hole that opens users to hacks that could redirect them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles.
As this post was going live, employees with Valve, the company that develops Steam, were reportedly in the process of fixing the bug. Unconfirmed posts such as this one reported that the cross-site scripting hole had been patched on the initial activity feed pages but not on subsequent pages. Valve representatives didn't respond to e-mails seeking comment for this post.
The vulnerability is the result of a failure to filter malicious commands out of user-created profile pages. Attackers can exploit the failure by inserting JavaScript and other types of code into their profiles. The malicious commands are then executed without warning on the computers of anyone who visits the booby-trapped page. The flaw first came to light in a Reddit thread that went live on Tuesday morning. Within hours, people were creating profiles that exploited the bug.
So far, most of the exploit pages that Ars is aware of do little more than redirect visitors to a site with PHP code that prompts them to download an unknown file. Such redirections, however, are possibly only a small sample of what the underlying exploit makes possible. One Reddit participant said here and here that viewing malicious profiles could force people to make purchases using their Steam market funds.
Jeremiah Grossman, chief of security strategy at security firm SentinelOne, said it's possible that exploits could also steal authentication cookies used to automatically access restricted user accounts or modify visitors' profile pages. That would leave open the possibility of self-replicating exploits that spread virally. Under such a scenario, the number of infected profiles would grow each time someone clicked on an existing malicious profile. It's not the first time a serious vulnerability on the Steam community website has put user accounts at risk, as evidence by Ars stories here and here.
There's no evidence that self-replicating worms are possible in this case, and even if there is, there's no evidence that anyone has created one. Still, the risk is high enough that Steam users should proceed with caution. Until there's definitive word that the vulnerability has been fully eradicated, Steam users should avoid viewing all profile pages. Steam users who think they may have viewed a malicious profile should change their passwords, enable two-factor authentication, and monitor official Valve communications for advisories.
This post will be updated as warranted.
reader comments
75