Yesterday, a not-insignificant exploit in the Steam Community infrastructure was found and subsequently repaired. Amidst the panic and confusion, the developers provided information on the fix and the Steam community broke down exactly what the heck happened. On the r/Steam Reddit community, user DirtDiglett compiled everything anyone would need to know about the exploit and fix into one post. The wild part is the exploit was found in the “My Showcase” profile display option, where players could show off their favorite games, achievements and more.
Essentially, the feature specifically related to sharing guides displayed whatever text the user entered. A guide could have a 128-character title, and up to four guides could be displayed at once. This was just enough of an opening for sneaky JavaScript abuse that could be used to “make market purchases without your knowledge, using your Steam funds, or it could silently redirect you to a phishing page.”
Fortunately, through the magic of not letting text display verbatim as users entered, the problem was addressed.
Source: Reddit