An unauthenticated attacker can gain full control of Steam accounts by exploiting a critical information exposure vulnerability in the unmaintained steam-trader software.

The /users API endpoint allows unauthenticated access to sensitive Steam account data, including passwords and identity secrets. Additionally, the application logs authentication artifacts such as access tokens and shared secrets, which can be used to generate Steam Guard (2FA) codes.

This vulnerability leads to the total compromise of associated Steam accounts, including inventory, trading capabilities, and personal information. With a CVSS score of 10.0, the risk is absolute. Since the repository is archived and no fix is available, any continued use of this software poses an extreme and unmitigated risk.

Immediate Action: Immediately cease all use of the ArthurFiorette steam-trader software and decommission any active instances, as no patch will be provided for this archived project.

Proactive Monitoring: If the software was used, immediately change all Steam account passwords, revoke active sessions, and reset Steam Guard/2FA secrets for all affected accounts.

Compensating Controls: There are no effective compensating controls for a software-level credential leak of this magnitude other than total removal of the software.

Public Exploit Available: No

The use of ArthurFiorette steam-trader 2.1.1 must be discontinued immediately. Because the project is no longer maintained and the flaw is critical, there is no path to secure use. Users must migrate to a supported alternative and perform a full security reset of their Steam credentials.