A security flaw has been found in Steam's browser commands which could allow hackers to gain access to your computer through a back door.

Hackers could have a new means of accessing your computer through a browser command which utilizes Valve's software distribution system Steam. When your browser accesses a URL that begins with the command "steam://", it will prompt your copy of steam to launch and perform some operation. Usually, such an operation would be to launch a game, or install or uninstall software.

The Steam logo

Unfortunately, it seems this allows hackers a backdoor to install or run compromising software on your computer, including using exploits in games with the source- and unreal-engines. Some browsers, such as Chrome or Internet explorer will not access such a URL without first prompting you; however Safari, and Steam's own browser will run these URLs without question. Firefox lies somewhere in the middle. It will ask you to confirm, but will not alert you that there may be a risk involved (unsurprisingly perhaps, as the command is meant to be associated with steam).

No attacks in the real world have been reported so far, and the issue will probably be addressed shortly, but until then, remain vigilant of any links you click and try to avoid strange URLs. A full report on the security hole can be found here: http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf