The Steam community site was deemed unsafe due to XSS (cross-site scripting) exploit that redirect users to a fake or phishing site, and compromise Steam users account. There’s a chance that users might lose their Steam Wallet funds from this vulnerability.
A post on Steam subreddit warns users of what the exploit does and advises users against clicking on Steam profile links.
[list style=”mark”][list_item]Redirect you to any non-steam page, for example a phishing login page. From a user perspective it is you going to a legitimate Steam profile, then you see a login page.[/list_item]
[list_item]Utilize scripting to use your Steam Market funds on any item the malicious user chooses, you wouldn’t even need to confirm anything as you’re on a valid login session.[/list_item]
[list_item]Manipulate elements on the page as they see fit.[/list_item][/list]
[quote style=’1′ cite=” title=”]Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium),” the warning says. “I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser.[/quote]
The good news is that the issue has been fixed by Valve.
