Valve: Steam chat - trade offer presentation vulnerability

ID H1:745447
Type hackerone
Reporter hackerontwowheels
Modified 2020-02-19T00:57:06


It was possible to construct a Steam URL that began with "/tradeoffer/new" and included valid partner and token information, but which was in fact an external link. The crafted URL would be treated by the Steam Chat UI as a trade offer and given special visual treatment.