[FIXED!!] Possibly huge exploit on steam being used to steal account credentials

[IkeTheGeneric]

https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/

Quick & Dirty Summary: DON'T LOOK AT ANY PROFILES ON STEAM OR YOUR ACTIVITY FEED. Also turn on mobile authentication if you haven't, might save your account if compromised.

fixd

Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.

Anyone (with knowledge of the exploit) who uses or abuses it FOR ANY REASON will RISK RECEIVING A COMMUNITY BAN. If you find any such profile that you can't report (as in literally cannot use the report button), please PM them to me.
Keep in mind that any discussion on any exploit method is NOT allowed here and will result in a ban without warning. This post is intentionally vague, and will be kept that way due to the nature of this exploit.

And to make it VERY clear: do NOT post profile links on this sub (temporarily), do NOT post proof of concepts (we have the repro steps and passed them on), do NOT post anything relevant that might provide information on how to do this exploit (incl. youtube links). This post is your warning.

TO THOSE POSSIBLY AFFECTED:

Change your Steam Account password, enable Mobile Authenticator if it's not on already (otherwise deauthorize Steam Guard on all systems from settings) then restart your router/change IP. You might want to also consider scanning your system with a malware scanner/anti-virus.

[Ad Bot]

[TableSalt]

[IkeTheGeneric]

It's probably for the best, at least until more information is posted.

[Poliwhirl]

zoinks

good thing i have that mobile authentication thing already

[IkeTheGeneric]

I cannot stress this enough. SET UP THE MOBILE AUTHENTICATION IF YOU HAVEN'T. It will protect you against bullstuff like this.

[JoeysWorldTourLIFE]

is this only for viewing on browser or is it also an issue on steam client?

[IkeTheGeneric]

is this only for viewing on browser or is it also an issue on steam client?

It's an issue for mobile, every browser and steam client.

[IkeTheGeneric]

There are some reports that the exploited profiles are injecting malware into your computer if you view the profile. Nothing verified yet, but to err on the side of caution, if you feel like you might have viewed a suspicious profile, run an anti-malware and anti-virus software immediately.

[JoeysWorldTourLIFE]

It's an issue for mobile, every browser and steam client.

so, if I have mobile authenticator I am ok?

EDIT: I am doing scans right now

[IkeTheGeneric]

so, if I have mobile authenticator I am ok?

You should be, yes. Even if they steal credentials, they will not be able to log in without the authenticator code.

[Rigel]

this sounds spooky. Good thing I've done nothing but Terraria for the last 3 days, so I'm safe.

[The Murderous Cop]

good thing i have my mobile auth activated

[MoltenKitten]

Stoo trying to make me use the mobile auth valve  >:(

[Gytyyhgfffff]

was is it a loving xss attack cause the description mentions javascript
holy mother loving god valve

[TristanLuigi]

Stoo trying to make me use the mobile auth valve  >:(

Oh no, they're trying to get you to protect potentially hundreds of dollars of your own games

How could they???