Steam, an online game platform with more than 125 million active accounts, is in the process of fixing a serious security hole that opens users to hacks that could redirect them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles.
As this post was going live, employees with Valve, the company that develops Steam, were reportedly in the process of fixing the bug. Unconfirmed posts such as this one reported that the cross-site scripting hole had been patched on the initial activity feed pages but not on subsequent pages. Valve representatives didn’t respond to e-mails seeking comment for this post.
The vulnerability is the result of a failure to filter malicious commands out of user-created profile pages. Attackers can exploit the failure by inserting JavaScript and other types of code into their profiles. The malicious commands are then executed without warning on the computers of anyone who visits the booby-trapped page. The flaw first came to light in a Reddit thread that went live on Tuesday morning. Within hours, people were creating profiles that exploited the bug.