Skip to main content

Steam community site suffers profile vulnerability but Valve makes quick fix

If you’re any kind of PC gamer, then you likely frequent Valve’s Steam service to procure at least some of your games. And if you’re a Steam customer, then you likely spend some time on Steam’s community site — and until just recently, that might not have been the safest place to be.

It appears that the Steam community site suffered from an exploit involving user profiles that could redirect users to alternate pages and download PHP code, Ars Technica reports. Valve was able to fix the exploit soon after it was announced, but not before a number of people had created profiles that exploited the vulnerability.

Recommended Videos

The exploit was first identified on the Steam subreddit, described as such:

“Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium). I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser. Appropriate information has been forward to Valve and this issue should be resolved soon, sorry for any inconvenience.”

Since that post was first created, Valve was able to fix the exploit and was able to classify Steam profiles and activity feeds as safe to visit. The exploit was subsequently explained in full in a follow-up Reddit post. Steam has more than 125 million users and any exploit on the Steam community site could have serious repercussions.

Apparently, the chances of long-term problems caused by the vulnerability were slim, but nevertheless, anyone who might have suffered from the exploit while it was live is recommended to turn on two-factor authentication, keep up with Valve’s official channels for more information, and, of course, change their Steam password.

Mark Coppock
Mark Coppock is a Freelance Writer at Digital Trends covering primarily laptop and other computing technologies. He has…
Make sure you install the latest Steam Deck October update
A Steam Deck OLED sits on a table.

Valve released a big Steam Deck update this week in the Stable channel that the company says can improve performance for its handheld across the board, and even grant up to 10% more battery life for the original Steam Deck in certain situations.

The manufacturer releases consistent hotfixes and small updates to the Steam Deck beta channel, but they usually fix a couple of things that most players typically won't notice. However, SteamOS 3.6.19 is huge, with countless updates thanks in part to two big changes: a move to a more recent Arch Linux base, and an update to Mesa 24.1 for the graphics driver.

Read more
Valve won’t release a Steam Deck 2 until there’s a proper ‘generational leap’
Steam Deck over a pink background.

Don't expect a Steam Deck 2 any time soon -- or at least, not within the year. While Valve has confirmed that it's working on an official follow-up to its popular handheld console, it's against the idea of annual hardware releases.

In an interview with Reviews.org (spotted by The Verge), Steam Deck designers Lawrence Yang and Yazan Aldehayyat weighed in on the product's future. While they said they approve of competition in the space and how they can (and in some cases have) improve on the Steam Deck foundation, they're not going to follow the trend of releasing new versions with incremental improvements.

Read more
Surprise Steam agreement update says you can now sue Valve directly
The Zotac Zone handheld gaming console running Steam.

Many players -- including me -- got a bit of a jump scare Thursday evening while playing games on SteamĀ in the form of a pop-up that said Valve updated the Steam Subscriber Agreement. Like most people, I clicked the checkbox, accepted the changes, and tried to go back to my game.

Looking back, though, this update is kind of a big deal, as Valve has removed its forced arbitration clause. This means that it's now easier than ever to sue the company, and the changes have been implemented immediately.

Read more