It’s been a bad day on Steam, as a nasty exploit has been lurking on the site – not for the first time – ready to trap the unwary and compromise their accounts. But the good news is that Valve has literally just patched the flaw with a swift response.
To be specific, this was an XSS exploit (cross-site scripting) which, as Eurogamer (opens in new tab) spotted, was initially highlighted by a moderator on Steam's official Reddit (opens in new tab) around eight hours ago.
The vulnerability let malicious parties inject their own code in order to compromise an account – potentially allowing the attacker to perform actions on said account that don’t need the password reconfirming, or they could attempt to redirect the owner to a phishing site to grab their login details.
Profile pitfall
According to the mod in question, this was triggered just by viewing a dodgy profile page, or your own activity feed, but both these areas have now been patched up and fixed.
However, if you’ve been clicking around Steam profiles earlier today, or the activity feed, that could obviously be a worry. There’s no sure way to tell if you have been affected at this point, unfortunately, save for – obviously enough – odd things happening to your Steam account. Fingers crossed that isn’t the case.
As mentioned, this isn’t the first time we’ve witnessed an exploit hitting the Steam site, or indeed serious privacy woes like the time just over a year ago when people’s account details (including credit card data) became visible to some other users (rather than their own information).