A security flaw discovered in the popular online gaming platform Steam allows a hacker to execute malicious commands on the computers of any user visiting an infected profile page.

The flaw consists of a cross-site scripting vulnerability that can occur due to the Steam client failing to block malicious commands from user-created profile pages. The flaw enable a hacker to create a user profile that includes malicious code, which is injected into the computer of any Steam user visiting the profile. The hacker can then take control of the victims Steam account and use it to sell and buy market items, post comments, promote group members to officers and vote on Greenlight items.

“Currently, there is a risk (i.e. phishing, malicious script execution, etc.) involved when viewing or simply opening PROFILE pages of other steam users as well as your OWN activity feed (both desktop and mobile versions on all browsers including steam browser/chromium),” a moderator on the Steam subreddit explained in a text submission. “I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options. Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser.”

According to Ars Technica, most of the exploit profile pages do little more than redirect visitors to a site with PHP code that prompts them to download an unknown file.

The good news is that Steam owner Valve Corporation has now patched the security flaw. If you are a Steam user and think you may have been caught by the exploit prior to it being fixed, Valve advises that you change your Steam password, enable the mobile authenticator, or, if you already use the mobile authenticator, go into the Steam settings and de-authorize any other computers on Steam Guard, and then restart your modem or change your IP address. A scan of your computer using a malware and anti-virus software is recommended as well.

Image: Wikimedia Commons/ Public Domain CC0