Thanks. Based on that information any privacy-conscious users should simply not use Steam or the Steam website until the bug is fixed. By not using Steam, their pages won't end up in cache and will not be leaked to others.
Yeah, but there's other bugs that do let you do that (pull peoples account info). I've found a plenty of exploitable vulnerabilities on steam but stopped reporting them after their support told me to go post "suggestions" on their forums instead.
Email security@valvesoftware.com; I've reported loads of things there (some serious, some pretty trivial), and they're actually very good about responding to things these days. Steam Support is totally useless, though.