As of writing this article, it has been declared fixed by Steam.
(XSS) or cross-site scripting has been a common approach malware developers use due to the fact there was a vulnerability found in web applications.
Some hackers exploit from being non harmful or it would be used to send the unsuspected user to a phishing website and most dangerously a malware laced website. The web application then would fail to filter the said damaging code or payload and will definitely force the unsuspecting users web browser to run or render it.
Web developers take a lot of time and effort to avoid and mitigate such attacks from happening. However, it is extremely hard if not impossible to mitigate against all of them.
Eventually, a smart guy will figure out something to out maneuver security somewhere along the way. This is what happened when one security researcher has found a way to introduce arbitrary code into a Steam profile and bypassing Valves security measures.
The researcher, Cra0kalo, has created a proof of concept that demonstrates the attack in action. If you’re curious, you can check it out here.
@showthread example one I made https://t.co/k7qjH1zgp0
— Cra0kalo (@cra0kalo) February 7, 2017
When you visit the page, the third-party code will attempt to download a Windows executable. As far as I can tell, this exe is pretty harmless. In a tweet, Cra0kalo says that it’s an intro animation he made with VB6 when he was 16 (still don’t download it though). But if anyone was so inclined, it could be something malicious, like a ransomware program or any variety of virus.
There is something good that came from this. Valve has already resolved the issue.