Well, Steam has had another vulnerability, thankfully it seems to be fixed. But for part of the last 24 hours, there was an exploit that allowed users to set their profile page to display a phishing site designed to steal the user and password.
Not just that, but there was also an exploit on users own activity feed (i'm a little unclear about the second one with the activity feed, it doesnt make as much sense to me.)
While the exploit was still working, it was recommended users enable show url when available, as it would show a different url than any steam sites.
This is just another blow to Steam's already laughable track record of protecting its users and its support's ability to resolve their problems, or in some cases even answer.
If you recall, a very young pentester/hacker added a non malicious, but not official Steam game to Steam via a Greenlight exploit and i think that wasn't all he had access to. He said the steam websites looked like they "hadn't been updated in years" and that "someone would find more vulnerabilities", only 1 of the steam sites, I think Community, and the login screen are fully SSL secure. And this exploit was on the community domain. Steam has reacted fast, but this exploit happened today and I found it by accident. None of my friends who have Steam even know about this exploit. I think Valve is so worried about losing stock price/investors that they're too ashamed to alert their users properly of an exploit by email or even by notification. It seems to me like they tried to sweep it under the rug instead.
This is just another blow to my already wavering trust in Steam's ability to make a secure website, or platform.
Please change your steam password , and deauthorize all devices, this exploit did allow the cookie/user session to be stolen.