Update: Valve have now fixed this exploit, so you're free to browse Steam until your little heart is content.
Basically, the exploit happened because a section of the 'My Guides Showcase' recognised scripts placed in the title section, opening it up to abuse. There are more details over on Reddit.
This isn't the first time something like this has happened, as you can see in the video above. Tomáš Duda, a developer working for SCS Software, uncovered an exploit in 2014, and his reports to Valve allegedly went unanswered.
He decided to show them by putting a bit of harmless code in there, making Steam do the Harlem Shake. It's funny, but it did get him a year ban.
Original: A warning has popped up on Reddit for people browsing Steam. There's seemingly a phishing exploit that can steal your details just from clicking on a page.
The risk appears to be legitimate, and is serious enough that a subreddit for Steam trading, /r/GlobalOffensiveTrade, has been taken offline until further notice.
R3TR1X says that viewing or opening the profile pages of other Steam users who are abusing the exploit can risk phishing and malicious script execution. He even says "I've received reports they can also do it on YOUR activity feed", so best stay off that, too.
He keeps the details of the exploit “intentionally vague” due to its nature, but a user named DirtDiglett, who claims to be a web developer, has replied with a little more insight. DirtDiglett says “with the right know-how, a malicious user” could do the following to you, if you view his or her profile:
- Redirect you to any non-Steam page. This could be used as part of a phishing scam, wherein you see a non-Steam page disguised as a legitimate Steam profile. Navigate away and you're shown what looks like a Steam login page. Nothing too unusual about that, if you think you're still on Steam, so you enter your details.
- Utilise scripting to use your Steam Market funds on any item the malicious user chooses; you wouldn't even need to confirm anything as you're on a valid login session.
- Manipulate elements on the page as they see fit.
DirtDiglett suggests you triple-check the URL of any website you navigate to before doing anything with your information, enable ‘display Steam URL address bar when available’ in Steam’s settings, and avoid viewing profiles of anyone you don’t know.
R3TR1X’s advice is similar:
If you think you might be affected, R3TR1X advises changing your Steam Account password, enabling mobile authentication if it’s not on already (otherwise deauthorise Steam Guard on all systems), and then restart your modem/change your IP and consider a malware/virus scan.
R3TR1X and DirtDiglett both seem confident Valve will be taking action. Until we hear more, though, take extra care when using Steam’s social features. Here's the announcement in full.