Valve fixes Steam security exploit
The vulnerability came to light earlier today.
A warning went up on the Steam subreddit earlier today cautioning Steam users—so, pretty much all of us—to avoid opening profile pages of other users, and also their own activity feeds. The message is intentionally vague to help avoid spreading details about the exploit and how to use it, but it was posted by a subreddit moderator, while another mod says he's "investigated and created proofs of concept for this exploit."
"Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium)," the warning says. "I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser."
A Valve rep said that a fix has now—as of about 12:05 pm ET—been published, so the problem should be taken care of. If you think you were caught by the exploit before the fix went live, the message says you should change your Steam password, enable the mobile authenticator (which you really should be using anyway) or, if you already use it, go into the settings and de-authorize any other computers on Steam Guard, and then restart your modem or change your IP. A full scan of your system with a malware/anti-virus scanner probably wouldn't hurt either.
Details of the exploit, which we can talk about now that it's been fixed, are available here.
Update: The post initially warned that a client update was required. It was in fact an issue with the Steam website.
Image credit: DiglidiDudeNG
The biggest gaming news, reviews and hardware deals
Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.
Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.
Steam has changed its policy on DLC content and season passes, so now players are entitled to proper compensation if future plans fall through: 'Customers will be offered a refund for the value of unreleased DLC'
Indie distribution platform Itch.io now requires asset creators to disclose the use of generative AI in their work