HTML Holes Exposed Sensitive Data For “private” Steam User Accounts

Home » How To See Someone's Private Steam Profile » HTML Holes Exposed Sensitive Data For “private” Steam User Accounts

Maybe your like

The hole

My Steam profile page, which correctly notes that my account is private.
My Steam profile page, which correctly notes that my account is private.

If you went to my Steam community profile page before Monday, it would correctly show my profile as private (as it still does). You would get the same message if you tried to force the website to show a list of my Steam games, by adding “/games/?tab=all” to the end of the URL (e.g., http://steamcommunity.com/id/KyleOrl/games/?tab=all).

Viewing the HTML source code of that page, however, revealed a good deal of data that Steam users might want to keep private. Anyone looking at the source of this page could get a complete and apparently accurate list of every game in any private Steam library through a plaintext JavaScript definition for an array named rgGames[].

As you can see in the screenshot below and in this complete PasteBin copy of the source taken before the hole was fixed, this list is relatively human-readable, despite a lot of JavaScript cruft surrounding it. Fortunately, other data that is usually included in public user profiles, such as total playtime for each game, seems to have been suppressed in private profiles.

The source code for my “private” game page, as accessed before Monday, with the relevant game names highlighted.
The source code for my “private” game page, as accessed before Monday, with the relevant game names highlighted.

The potential for privacy breaches continue from there. Using the revealed list of games and a minor amount of URL modification, anyone could expose a private Steam user’s Achievement page for the game in question. To access this page for Portal 2, for instance, you would simply add “stats/Portal2/?tab=achievements” to the end of a user’s standard profile URL (i.e. http://steamcommunity.com/id/KyleOrl/stats/Portal2/?tab=achievements). This page is usually not publicly linked for users whose Steam profiles are set to private, and relying on security through obscurity proved insufficient.

Tag » How To See Someone's Private Steam Profile