ReVuln have spotted a vulnerability in the Steam service that allows you to be redirected to malicious sites and programs when clicking a Steam link. Whilst potentially effective for all browsers, if you use Safari you need to be particularly aware of this exploit.
In their words: “If you are familiar with Steam, you know that every user gets a personal proﬁle page and on this page it’s possible to include information like pictures and videos.While pictures provided by the users get uploaded on Steam, videos are just links to YouTube videos. If a user tries to view a video attached to a proﬁle, the user will get a page in which there is only the video, so no comments or description coming from YouTube. But if the user clicks on the title of the video (i.e. to leave comments on the YouTube video) then a new window is opened with all the details about the video including comments and description. So a malicious user can include links to external hosts, which can remotely invoke Steam commands by using the usual steam:// URLs. With this strategy the Steam browser will execute the protocol handler calls without any warnings.”
Browsers such a Safari don’t give a warning that they’re launching anexternal program and so you are more at risk then others.
Hopefully Valve are getting on top of this exploit. We’re contacting them to check what’s being done.