A warning went up on the Steam subreddit earlier today cautioning Steam users—so, pretty much all of us—to avoid opening profile pages of other users, and also their own activity feeds. The message is intentionally vague to help avoid spreading details about the exploit and how to use it, but it was posted by a subreddit moderator, while another mod says he’s “investigated and created proofs of concept for this exploit.”
“Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium),” the warning says. “I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser.”
The vulnerability came to light earlier today.
Geekhammer 