The popular online game platform Steam is going to fix a serious vulnerability that could be exploited by hackers to redirect users to malicious websites, use their market funds, and also change their profile.
It seems that the XSS exploit on Steam Profiles has been only partially fixed, it seems that the flaw had been fixed only the initial activity feed pages, but it is still present on subsequent pages.
The vulnerability was first reported in a Reddit thread this week, and experts observed that in a few hours after its disclosure many people were creating profiles that contained the code to trigger the vulnerability.
According to Ars, most of the exploit pages just redirect visitors to a site with PHP code that prompts them to download an unknown file.
“Such redirections, however, are possibly only a small sample of what the underlying exploit makes possible. One Reddit participant said here and here that viewing malicious profiles could force people to make purchases using their Steam market funds.” reported the Ars.
Clearly, the flaw in the Steam platform could be also exploited to steal authentication cookies used and control the user accounts of the visitors.
It is expected that the number of infected profiles would rapidly grow because it is enough that users visit an existing malicious profile.
The Steam platform was already exploited by hackers in the past to launch cyber attacks. In October 2016, the malware researcher Lawrence Abrams discovered a Reddit user which is warning of the existence of hacked Steam accounts used to spread a Remote Access Trojan (RAT).
In March 2016, the security expert at Kaspersky Lab, Santiago Pontiroli, and Bart P, an independent security researcher, published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years,
Valve estimated that nearly 77,000 accounts are hijacked and pillaged each month.
Back to the present, Steam users who think they may have visited a malicious profile urge to check their settings and should change their passwords. I always suggest also to enable two-factor authentication to avoid ugly surprises.
(Security Affairs – Steam , XSS exploit)