A moderator on the Steam subreddit has warned about a new cross-site scripting (XSS) vulnerability affecting profile pages on Valve’s PC marketplace.
SteamDB confirmed the existence of the vulnerability and referred readers to a two-year-old post explaining the kinds of attacks that might be launched.
SteamDB said an XSS attack may be used to sell and buy market items using your Steam Market funds, post comments, promote group members to officers, and vote on Greenlight items.
However, another subreddit mod warned that the vulnerability extends beyond Steam.
The vulnerability can reportedly be exploited to redirect you to any non-Steam page, such as a fake login page to phish your username and password.
An attacker can also manipulate elements on the page.
According to reports, viewing someone’s profile page, or your activity feed, on the desktop or mobile versions of Steam can trigger an attack.
To avoid falling victim, mods said community members must not click on profile links or any suspicious links, and disable JavaScript in their browser’s options.
Valve has been informed about the vulnerability, according to the Steam subreddit community moderators.
If you have been affected, you must:
- Change your Steam Account password.
- Enable Mobile Authenticator.
- If the Authenticator is activated, deauthorise other computers on Steam Guard, then restart your modem.
- Scan your system with a malware scanner and anti-virus.
This article first appeared on MyBroadband and is republished with permission.
Now read: Over half the PC gamers on Steam are now using Windows 10
