Choose style:

Author Topic: Can Steam/Valve even be trusted to keep peoples accounts safe anymore?  (Read 231 times)

0 Members and 1 Guest are viewing this topic.

Offline kimbopeppermint

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Well, Steam has had another vulnerability, thankfully it seems to be fixed. But for part of the last 24 hours, there was an exploit that allowed users to set their profile page to display a phishing site designed to steal the user and password.
Not just that, but there was also an exploit on users own activity feed (i'm a little unclear about the second one with the activity feed, it doesnt make as much sense to me.)

On top of that, part of this exploit allowed another exploit which enabled the user to make their steam profile run the latest comment as javascript when visited. THIS IS CATASTROPHIC AND NO ONE WAS WARNED BY VALVE/STEAM

While the exploit was still working, it was recommended users enable show url when available, as it would show a different url than any steam sites.

This is just another blow to Steam's already laughable track record of protecting its users and its support's ability to resolve their problems, or in some cases even answer.

If you recall, a very young pentester/hacker added a non malicious, but not official Steam game to Steam via a Greenlight exploit and i think that wasn't all he had access to. He said the steam websites looked like they "hadn't been updated in years" and that "someone would find more vulnerabilities", only 1 of the steam sites, I think Community, and the login screen are fully SSL secure. And this exploit was on the community domain. Steam has reacted fast, but this exploit happened today and I found it by accident. None of my friends who have Steam even know about this exploit. I think Valve is so worried about losing stock price/investors that they're too ashamed to alert their users properly of an exploit by email or even by notification. It seems to me like they tried to sweep it under the rug instead.

Feel free to search up steam javascript exploit yourself, i don't supply links so as to foster good practices like not following links and googling for the real site one's self.

This is just another blow to my already wavering trust in Steam's ability to make a secure website, or platform.

Please change your steam password , and deauthorize all devices, this exploit did allow the cookie/user session to be stolen. :o
"I'm a merciless butcher of virgin machines !"
~VinDSL March 07, 2017

Offline kimbopeppermint

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Re: Can Steam/Valve even be trusted to keep peoples accounts safe anymore?
« Reply #1 on: February 09, 2017, 01:44:51 am »
New news, Steam didn't have any CSS/XSS/HTMl/Javascript cleaner, that is to say there was no cleaning of the text users put in their profile, which allowed users to put code of different kinds. This is to say the least a newbie mistake, as outlined in a new Reddit thread. Most web developers reading the thread were pulling their hair out wondering why Steam would trust user content like unchanged text to be added to their Steam profile, anyone from the Web Development team @ Valve should have seen this coming, and prevented it.
"I'm a merciless butcher of virgin machines !"
~VinDSL March 07, 2017

Offline Slim.Fatz

  • Trusted User
  • Veteran
  • *****
  • Posts: 1208
  • Karma: 326
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7 & kernel 4.10.6
Re: Can Steam/Valve even be trusted to keep peoples accounts safe anymore?
« Reply #2 on: February 09, 2017, 03:28:19 am »
They were probably too busy gaming ...  :D

Regards,

-- Slim
Tread lightly: Fluxbox, awesome, Openbox, i3, JWM

Offline scifidude79

  • Trusted User
  • Veteran
  • *****
  • Posts: 2360
  • Karma: 577
    • View Profile
  • Peppermint version(s): Peppermint 7 64 bit
Re: Can Steam/Valve even be trusted to keep peoples accounts safe anymore?
« Reply #3 on: February 09, 2017, 10:34:14 am »
What's worse, you can link your Steam profile and your Facebook account, if you have one.  Talk about insecure!  :o

All Valve cares about right now is VR.  Literally.  It sickens me how they let other stuff lapse because of it.  But, I have too much time and money invested in games on Steam to just pull the plug and go completely over to GOG.  (if only I'd known about them sooner)

Offline jimbo160

  • nOOb
  • *
  • Posts: 19
  • Karma: 4
  • New Forum User
    • View Profile
  • Peppermint version(s): 7
Re: Can Steam/Valve even be trusted to keep peoples accounts safe anymore?
« Reply #4 on: February 17, 2017, 08:22:29 pm »
just had to find a place to ask, but does the steam work on Peppermint 7? I go to games, add to desktop, and it does nothing. As soon as i find a way to add my pc info, i will do that.


Offline scifidude79

  • Trusted User
  • Veteran
  • *****
  • Posts: 2360
  • Karma: 577
    • View Profile
  • Peppermint version(s): Peppermint 7 64 bit
Re: Can Steam/Valve even be trusted to keep peoples accounts safe anymore?
« Reply #5 on: February 17, 2017, 09:10:17 pm »
Yes, Steam works great with Peppermint 7.  If you use an AMD/ATI GPU, be sure to read this:

https://forum.peppermintos.com/index.php/topic,3739.0.html