Possible security vulnerability documented in Steam when using certain internet browsers - Polidicks

[QUOTE=Forumaster;38061940]Why would any game [I]EVER[/I] be given the capabilities to do something like this? What have you done, Valve? No kind of verification that the server it's pointed to is actually run by the game's maker? Bad, bad, BAD. Jesus, what happened to security?[/QUOTE] The first one seems like it could be a legit feature being abused, the legit use being the ability to write files from inside the game (ie log files). The second one, I agree. That is so dumb, the fact it doesn't care what its being sent is even worse. [editline]17th October 2012[/editline] [QUOTE=Foxtrot200;38067724]If UAC wasn't so god damn intrusive, I'd have it enabled. Does it have to ask for my permission when I click "Apply" in a control panel dialog? [/QUOTE] This is one of the times where it is really doing its job. No other operating system allows you to make system changes without authorising it even when logged in as an admin. It is entirely possible for malicious things to try and change settings.

Okay so I can see being able to create a bat file using source engine commands, but how would it make it run at startup? Even if they wrote a bat file that makes another bat file run at startup, I don't see a way of doing that without generating an UAC popup. That is, of course unless tf2 runs with administrative privileges for some reason.

[URL="steam://open/console"]steam://open/console[/URL] These are useful too..

[QUOTE=ben1066;38075024][URL="steam://open/console"]steam://open/console[/URL] These are useful too..[/QUOTE] neat [t]http://goo.gl/TPHpa[/t]

[QUOTE=Derpmonster;38063362]If you don't have Administrative privileges on your PC are you alright or?[/QUOTE] It might still do a few small things but it cannot get into the registry, systemroot, parts of program files and a lot of other places. So technically you're a lot safer. It's really one of the reason why having UAC on is technically fairly good. You should also be safe on Osx sine it probably can't elevate itself as well. [QUOTE=DeadKiller987;38074956]Okay so I can see being able to create a bat file using source engine commands, but how would it make it run at startup? Even if they wrote a bat file that makes another bat file run at startup, I don't see a way of doing that without generating an UAC popup. That is, of course unless tf2 runs with administrative privileges for some reason.[/QUOTE] Just think how negative is UAC seen by a huge number of steam users because they don't fully understand it. The likehood of a sizeable portion of steam users having UAC disabled is pretty huge.

[QUOTE=Techbot;38075692]neat [t]http://goo.gl/TPHpa[/t][/QUOTE] ] sv_cheats 1 >>> command not found: sv_cheats ] god >>> command not found: god :(

This is how God punishes people for running anything that isn't an administrative tool as an administrator.

This doesn't seem to work in gmod's browser... lame. [QUOTE=BrainDeath;38077349]This is how God punishes people for running anything that isn't an administrative tool as an administrator.[/QUOTE] Half of the time running software without admin screws it up in some way. [b]Edit:[/b] Christ. Fpers are dumb.

[QUOTE=MIPS;38063676]From a programmers perspective, this is actually kind of cool because from in your browser you could for instance have a link that when clicked took you to a specific gmod server. But yeah, this is a pretty nasty bug.[/QUOTE] Those links have been used for ages, MIPS :v:

[QUOTE=wraithcat;38076468] Just think how negative is UAC seen by a huge number of steam users because they don't fully understand it. The likehood of a sizeable portion of steam users having UAC disabled is pretty huge.[/QUOTE] Its actually you who doesn't understand sir. Applying logic you'll find that the huge slow down introducted by UAC for day-to-day activities does not justify the [i]potential[/i] chance to stop a malacious action from taking place. Chances are you're so used to pressing "Ok" every time UAC comes up you'd not even notice a malicious program/action being executed. [QUOTE=Trumple;38306500]Those links have been used for ages, MIPS :v:[/QUOTE] Who gives a shit?

Just FYI, people can make throw a steam link in [img] brackets and it will load automatically even if you don't click it, be wary.

[QUOTE=Slight;38306391]This doesn't seem to work in gmod's browser... lame. [/QUOTE] Strange, doesn't gmod use webkit? Doesn't work from my tests either.

[QUOTE=latin_geek;38062853]For example it could format your hard drives, [B]open your CD tray[/B], delete files (and render your computer unusable), change your user password, disable any website, disable your firewall...[/QUOTE] Oh God, no... not my CD tray... that's where I keep my anthrax stored...

[QUOTE=l l;38306561]Just FYI, people can make throw a steam link in [img] brackets and it will load automatically even if you don't click it, be wary.[/QUOTE] I'd like to point out that this doesn't work, at least not on the forums I've tried which include a bunch of vbulletin/phpBB forums. The tags simply don't get parsed. I've also tried my own test.html page with an img tag set to a steam link and it simply displays as a broken image in chrome, FF, IE, and webkit; no steam link is loaded.

Guys, was the avatar glitch fixed? If not, can you give me a link to the one that changes your avatar to Allahu Akbar rat from Bad Rats?

-snip- Mght aswell, pointless post