Have you had inventory items stolen on Steam?
Because it is. The "hacker" would have to have access to steam servers to be able to get your data from there and if he had access to steam servers then they wouldn't have to do something so extra vs just going into your acc data straight up.
Likely what actually happened is they posted a malicious link, which made the user think he's on the steam official website when he opened it, and likely the user tried to sign in to steam, and provided his creds and the steam guard, or provided an api key or something.
But generally people who fall for these obvious scams are always like "nah I dunno what happened I didn't click on anything".
Edit: forgot to mention of course the user might have downloaded one of the hackers tools which could remote into the user's pc, and then the hacker could then log the users data this way, without having to hack into steam servers which I'd say is probably not gonna happen. I mean even the user wouldn't get hacked if he didn't get someone a backdoor into his pc for instance.
Comment has been collapsed.
you are wrong.
none of what you wrote has anything to do with this Steam one click malware.
but believe what you want.
Comment has been collapsed.
show proof or nobody will believe you. searching for the text you quoted brings up no results. searching for steam one-click vulnerabilities brings up old articles, nothing current. the text you quoted is talking in third person about somebody else who was supposedly scammed, so is this a situation where you know a guy who knows a guy who claims to have accidentally clicked a malicious link?
Comment has been collapsed.
I directly know the person affected. I have looked at the evidence. We have the device manufacture looking into the security. Valve has not responded yet. If you want to read the current article check out my profile, as I don't think SG allows posting links.
Comment has been collapsed.
steam profile, click the akagumo link, it is at the top. Sorry for not being more clear about where.
Comment has been collapsed.
you literally made a thread about how somebody did nothing but click 1 link and got their account hacked. now you want me to click on some sketchy link? textbook jabroni
Comment has been collapsed.
This guy linked to his own websites article. He's administrator in the akagumo group and the article is posted under the title shogun. FAKE NEWS.
Comment has been collapsed.
I'm right, you're wrong.
I'm literally telling you it's impossible to get hacked unless you do what I said. About 12 years ago there was a popular trick for csgo where people would pretend to share a image of their skin in case you wanted to buy it. When you clicked the link it downloaded a .exe with a random skin for the image, and that provided a backdoor into people's systems as then they can get all the info they need. Other than this hack, or falling for an api scam, where you think you're trading with someone but it's some api scam bot impersonating them, or lastly directly hacking into the steam servers, it's impossible for someone to get your data. Impossible. They need access to your data somehow, they can't just force retrieve it.
Clicking a link and going to the steam workshop will never steal your acc data, you'd have to click something and login to the wrong website or download a file and run it, or have given someone backdoor access from some other source.
What you're suggesting is one of two things:
1) that someone has hacked into steam servers, and then instead of getting your data, decided to change the steam code to work that specific way, case in which again millions would be affected by now,
OR
2) you're suggesting he pushed his own code to the steam app source code, recompiled the entire app, and re-released it under valve's account for them(lmao) for anyone who clicks on his link to get hacked. If you don't find that ridiculous you just don't understand how code works. (also reverse engineered the app first too just because why the heck not, maybe he also went to mars on vacation for a day or two because why not, everything's possible and lets be honest if he could do this all without steam noticing, putting a stop to it, etc., he earned your items).
PS: I'm sure it offends you to be wrong and again no shot your friend would tell you the truth, but the reality is, he likely logged in to one of those vote for my cs2 team websites since that's the most recent scam, gave them the acc and password thinking he has to login to steam to use their site, and then used the auth thinking he was on steam again so he gave them full access..
Comment has been collapsed.
1 or 2 are not the only possibilities.
2 is ridiculous, but who knows. i would not discount anything, but I am certainly not suggesting any exact way because we don't know.
unless you are a security researcher you don't know. even then you would have to see the device.
PS. i am never offended if I am wrong. so far you have not shown me to be wrong, just you speculating and then stating I am wrong. whatever makes you feel good.
Comment has been collapsed.
Never heard someone refer to someone working in "cyber sec" as a "security researcher".
You say unless I work in that field I don't know, but it's more about understanding how computers work and how many "condoms" your pc and software wear so you don't f up every 2 seconds. If what you suggest would be possible, then that kind of exploit would be used on every single platform, every single device, every single website and it would be indefensible. If it was this simple, people wouldn't resort to social engineering hacking because they could just get a whale to click some random link on a yt video giving them access to who knows what kinds of infrastructure and erase civilization. It just doesn't work that way. If it did, trust me you'd know, maybe when quantum computers are out and sha encryptions go to hell you'll understand although likely they'll convert pretty much everything by then.
Comment has been collapsed.
i hope you are getting paid by steam to spread your toxic misinformation.
otherwise you are unhinged
Comment has been collapsed.
Not at all but I wonder if your website full of cringe bait articles pays you hence why you keep doing it?
Comment has been collapsed.
That's on you though. You have the chance to learn and you refuse yet you try to push your propaganda this could happen. I'm friendly but just because you say I'm wrong I'm not going to let it go. Prove me wrong.
Why am I to blame because you refuse to understand that in order to fall for this scam, you have to give your credentials away and your auth key. I already explained why they can't be taken from you with just clicking on the website and by now as others have pointed out this is a common scam that requires the user to type in that data. Yet, you refuse this could be the case and that your friend and just him got hacked in some way that no one else got hacked, although all it takes is someone to view the link, which that hacker could make 50k bots and have sent 40 million links today. Yet, your friend is the only one affected by this miraculous hack that you have no evidence off other than "i'm sure my friend isn't lying to me" and "trust me bro look at this article I totally don't want to tell you I wrote".
Comment has been collapsed.
you started and have continued the toxic attacks. that is on you.
typical narcissist response
Comment has been collapsed.
I didn't start. You posted. You started. Someone else called you out and I agreed. Then you tried to spread misinformation. Maybe you are the narcissist since you can't let it go despite having no arguments to prove your point. Me replying to you isn't an attack, as you keep replying to me with a constant flow of insults while I'm pointing out why you're wrong over and over again. That's not an attack, because you choose to participate and continue conversation. You could end this at any time. You don't want to, because who knows, like you claim I might have some mental condition, you probably have all of them simultaneously since you can't admit you're wrong already. Like if I'm narcissistic imagine what you have to be for not being able to let it go and admit you're in the wrong. As persistent as I am even I'm about to let you do your thing because I'm bored now since you've done nothing but reply with these useless derailments and insults vs actually questioning and theorizing how your supposed exploit would even work and provide sources to support it would be possible. However, I knew from my first comment you weren't going to be able to do that, because your argument is BS, and you have 0 proof like I said at the start.:)
Comment has been collapsed.
typical narcissist. you "said" something so that gives me the right to viciously attack you.
the narcissist always thinks responding to their attacks is being unfairly attacked themselves.
and they "know" everything.
and narcissist think you have to do what they tell you to do.
get a life
Comment has been collapsed.
This.
It really is this simple: If an exploit is available where the user doesnt even have to click the link (just move the mouse over the link, highlighting it as described in OP's post) then Steam would not the first place this exploit would show up, and it absolutely wouldn't be the only place it showed up. The entire worlds online systems would be taken over within a day or two - hence the end of the world comment above.
It just isn't feasible or believable, and empiric evidence shows it is also not happening - because it isn't happening worldwide, at least as far as I know. And trust me, we would all know. All crypto currency accounts would be lost, all bank logins would be lost, all online stock/currency programs/accounts would be lost, and so on. It would be a news uproar if this was happening.
However if a user has previously (aware or not) downloaded and installed malware, or if user did click links but don't want to believe/admit it, then this can happen of course. As it often does on Steam. Links that lead to scam sites that look like the real thing is definitely a thing, and an ongoing issue.
People who are ashamed that they got so fooled and not wanting to admit they did anything wrong is a thing too.
So, ask yourself which of above sounds more believable, and which fits what you can see around the world at present.
Comment has been collapsed.
the only way it would be probably possible is using a cross site exploit catching the cookie but that would imply more factors i guess
Comment has been collapsed.
You could easily prove this, post:
Method?
Code examples?
Exploits used?
Comment has been collapsed.
there seems to be some cope going on in the comments
Comment has been collapsed.
Well, you need to understand that you are making a strong claim with literally zero proof. No wonder people have doubts. On top of it it's very strange to ask for help on unrelated forum. Why you need that to report that vulnerability? You already have a person with malicious link in both the chat and browser history - that should be enough to both report this issue to steam and even investigate it, if you want. And, as another reason to have doubts - it's very strange that there is only a single case of such scam. Was your "friend who got scammed" extremely wealth, and had like hundreds of thousands dollars worth inventory? Because, you know, if it's so easy to scam people - scammers would start with wealthiest users, before the vulnerability is fixed.
Comment has been collapsed.
As we're talking malware be sure to update your BIOS to latest version to counter LogoFAIL vulnerability.
https://www.tomshardware.com/pc-components/motherboards/logofail-exploit-bypasses-hardware-and-software-security-measures-and-is-nearly-impossible-to-detect-or-remove
Comment has been collapsed.
keeping everything up to date is important.
but this was a mobile device, the newest hardware with the newest OS.
Comment has been collapsed.
You'd still have to download a program and run it for it to activate, at which point, there's easier ways to steal your acc data and this method would be used for much more intrusive things.
Comment has been collapsed.
zero day or one click do not require running anything
Comment has been collapsed.
Elaborate I'm not sure what you're trying to say.
Zero day vulnerabilities happen with new software, they wouldn't happen for an app that's been out for as long as the steam app has already, nor would it happen to a software this big even if it was new because that's exactly why they black/white test. Also a zero day vulnerability is fixed within a day and steam has more than enough tools to revert anything before you'd get a response from steam support. It's not a zero day, that's basically catastrophic.
One click hacks affect millions of people, not 1. If there was a one click hack you'd know, trust me. It would be posted on every platform by the thousands and patches would have already been made within hours. Basically like with a zero day. They wouldn't use a one click hack to steal your skins when they can steal your bank, 401k, stocks, btc. They know the hack will get patched fast so the idea is to target a big player and take a lot and vanish, they ain't gonna take your $30 of steam trading cards.
A zero day vulnerability also implies that the devs don't know about the exploit, however in the case hbarkas posted, it's well known at this point and I'm sure it's safe to say it's fixed with the exception of a few people who refuse to update case in which oke. Also for how it works if I'm understanding it right the hacker would have to first find another method to take control of your pc, and then they can push the file onto your computer, so until they got that they still can't do anything, and if they can get access to your pc they don't need to use that to steal your acc data, or the second option is walk up to your pc and replace the boot file while you're not looking.... like those scenarios are basically impossible.
Comment has been collapsed.
Except that's not how it works. If the "malware" is able to execute after subscribing, that would require a Windows, Linux or Mac exploit or a code execution exploit in the associated game, not a Steam exploit. The downloaded content is not executed when you subscribe. Said data is only accessed when the associated game is run and, under normal circumstances, cannot execute code outside of its own thread.
Steam accounts are, usually, compromised through phishing and manipulation. The affected party signs into a third-party site that has been masked to appear as if it is otherwise legit (or a legit third-party site that has itself been compromised), with the user effectively handing the malicious party the username, password, and current 2FA code to the malefactor. Said malefactor compromises the account but, usually, leaves the account alone for months to reduce the chance the victim will secure the account. After the cooldown period, the malefactor drains the account, begins sending malicious links to friends list via web API so as not to be detected, and/or just outright claims the account. This makes it appear like the "hack" happened suddenly and as a result of some other action.
There is no "one-click vulnerability". The vulnerability exists between the keyboard and the chair.
Comment has been collapsed.
"Steam accounts are, usually" Exactly. but this is new
There are now a lot of one-click and zero day vulnerabilities. Why would anyone think that a bank app or OS can be compromised, but not Steam.
That is why OSs and app need to be updated constantly.
Comment has been collapsed.
No, it's not new. Spend a day on the Steam Discussion forums. People have been claiming this for years. Every claim boils down to someone clicked a link thinking it was legit and wasn't.
Comment has been collapsed.
"The user in this case knows not to click links, but accidentally touched the link which opened the link in the browser."
Can you explain this sentence more, they moved their mouse over the link, without clicking it, and the link opened anyway? Or the user went to investigate the link and accidentally clicked it open?
Also, is it possible to add malware to the steam workshop? I've never really used it but that sounds a bit scary.
Comment has been collapsed.
it was on a mobile device. their hand accidentally touched the link in the Steam Chat app. have you ever touched and opened something accidentally on your mobile device? i have.
if you want to read the current article, then check out my steam profile. I don't think I can share a link on here.
Comment has been collapsed.
Depending on the game and its upload tools, it's possible but extremely unlikely. Valve does have some backend monitoring incoming data. But if the game itself uses proprietary archiving formats that can be tricky.
Take, for example, Starbound. The upload tool packages target data into an archive that is then uploaded to Steam, but doesn't itself check the content of the archive. There was a user that used this to distribute the paid Java version of Minecraft, Minecraft cheat tools, and an archive of meme images via the "mod" subscription: all the subscribing user had to do was manually unpack the workshop archive using Starbound's bundled unpack tool. That all said, though, there was no way for Starbound to execute any malware this way unless an exploit was found in the game itself that allowed external code execution.
Comment has been collapsed.
Thank you for the info, I had no idea the workshop was used, or could be used in such a way.
Comment has been collapsed.
I revised my post about the workshop item, it is a scam link. The malware is on the scam site, not on the Steam Workshop. Sorry for the incorrect wording.
Comment has been collapsed.
I just read the article. Classic phishing. Nothing was "accidentally clicked". The affective party clicked the link and was prompted to "sign in" to upvote. This is an OLD scam, and people keep passing the blame.
Comment has been collapsed.
As stated, the user did not enter anything. They closed the tab immediately. Not phishing. Ugh.
More victim blaming. Classic.
Comment has been collapsed.
And the proof that it was "one accidental click": Trust me bro.
Again, people pop up on the discussion groups daily claiming this and have for many years. It's never the truth. It's always they fell for the phish and try to pass blame off themselves. Give a source that isn't a small-time streamer's personal website if you're going to try to "help".
Comment has been collapsed.
you have to ask yourself, why would anyone lie about this. it gains them nothing.
dismissing because it is not on CNN? whatever...
believe what you want.
Comment has been collapsed.
Why? I can think of a number of reasons proven by human nature:
- Personal exposure / celebrity
- Responsibility shifting / denialism
- Personal ignorance / stubbornness
- Innocence / gullibility
You ask what they gain. What do people gain lying on Twitter, Facebook, forums, et al.? Attention. What do people who fall for scams gain by passing the blame? Sympathy. It's also possible they don't even realize they screwed up and that it's their fault in the end, thus the innocence inclusion: Nothing is "gained", they just don't realize it was their own fault and they end up spreading misinformation thinking that they're helping, when in reality all that does is weaken awareness of the truth.
If this is, in reality, a "new" exploit, publicly discussing it was the worst possible way to handle it. By doing so, you've just exposed the scammers and they now have the opportunity to move on to new tactics before Valve can pursue the issue. But again, it's not. It's the phishing link scam rehashed over and over again.
Comment has been collapsed.
The most important reason people lie about this is because steam will not refund your items when it's clear you've been a complete baka. So what people try to do is lie there's an exploit and somehow they got hacked another way so that steam refunds them the items they lost due to them not paying attention.
Kinda like those people who go someplace to get a service, they ask for some weird request that is part of the procedure so it's never done, and then when you tell them that "we don't do that" they say "They've done it for me before!" although no one did it for them before and you know that they're lying and you have to repeat yourself and tell them no we don't do it this way, find the person who did it for you.
People lie for all kinds of reasons, likely, to gain something from it.
Comment has been collapsed.
If that's the case, why not create a Smurf account, put a cheap item on it, click the link, prove that you are right, and post it here, on TikTok, and everywhere? You will get a massive amount of views.
Your friend is definitively lying. It's not possible to do that kind of thing by just clicking a link and not doing any other interaction.
Comment has been collapsed.
Im trying to understand what happened and wether this is possible.
Im trying to put the pieces together spread in your comments
First of all, all of this was on mobile? the chat you clicked the link was in steam app?
So the tab opened in a mobile browser? Wich one?
What did the page looked like?
You sure you didnt click sigin in said tab?
Btw i never victim blame and not attempting to. Even when its social engineering the fault obviously is on the bad actor praying on people.
I dont get people who blame victims. Like if you know a common scam good for you, if you dont know a particular one you wouldve fallen prey - no one in the world is obliged to know what you currently know and heck at some point in time you didtn know. Everyone at some point didnt know how to be aware of any scams. Blaming the victim is ilogical even if it couldve been avoided
I never had lost steam items but i do worry about scams and malware precisely to prevent, but i have fallem to a non-steam irl scam before. The best defense we have where authorities, companies and the tech cant cover us is awareness so i see posts like this as more then welcome
But i do want to understand. Im trying to imagine how a site loading on the browser couldve transfared steam guard away and im failing to imagine (im no programmer, but from what i know of how the involved systems work- isnt much but more then nothing).
Do someone know if steam generates/uses any url for confirming transfer or changes to steam guard? Or if that could be done via steamworks some command and such?
Also supercollider are you sure you dont have any malware prior? Have you clicked other links from said friend or others in the past? Maybe that link was only the last step of the scam. idk, just brainstorming
Comment has been collapsed.
didn't happen to me. I have been lucky so far.
this did happen on mobile. iOS, which my thought was more iOS is secure than android.
the chat link the user accidentally touched was inside the Steam Chat app.
they said they didn't look at the page they quickly closed the tab. the mobile browser was Safari.
they did not sign into any site, they know better. they know about phishing sites, we have discussed many times in the past.
there were no notifications on steam app on Steam Guard transfer or trades.
Steam did just update the mobile app to fix notifications, so maybe this fixes part of this issue. not sure.
again, not me., but I am pretty sure the user did not install any malware prior.
they are not the typical gamer and not a kid.
Comment has been collapsed.
OP had no evidence so he just made some shit up and dumped it onto his site like it's news. Fox and CNN both would like to hire you.
????
Comment has been collapsed.
You're the only one coping and trolling here. Your entire source is "trust me bro" and then you couldn't even have the decency to tell someone you're the one posting the article that you're referencing.
Also, your entire "evidence" is based on what someone else told you. You're source comes from someone else who said the exact same thing to you, "trust me bro". Like you haven't questioned it a little bit.
Comment has been collapsed.
i wrote at the top, i am writing an article. you got a serious problem. get help!
everything you say is wrong. i checked and questioned the evidence.
Comment has been collapsed.
Then stop making claims with 0 evidence. Provide the proof, or delete your site from embarrassment . Either is okay with me but right now, you're nothing more than a liar.
Comment has been collapsed.
How would it even be possible for me to be the liar? All the exploits I've suggested are possible(and there's multiple sources for them), including the fact that I said it's possible to get linked to a fake steam site, give your login info and auth info and then get hacked and then you went ahead to change your article and the OP. Like you used what I taught you about such exploits to change your story to try and make it fit although it still wouldn't be possible.
Here, I'll do you an extra one and explain why your current story still wouldn't work so you can change your story again to a different one lmao. Clicking a link on mobile doesn't provide a back door into your phone. Clicking a link might lead to an automated file download, and opening the file might do as such as it could be a backdoor to run and retrieve and send the information out, or run a hack to make the trade. But even in your situation, clicking the link went to the phone browser, which as you said the user wasn't logged into. So it wouldn't have been able to send a trade on it's own from there even if he downloaded and ran the file, as their browser wasn't logged in. However, if he did log in, the he gave them credentials, and then if he used his auth, he gave them the auth key, thinking maybe he's logging into steam on the browser, instead going to a phishing site. Then it's possible because you're literally typing in the credentials for them to have.
You're welcome, now you get a life, or ... change your story again?
Comment has been collapsed.
you got a serious problem! calling people liars with no evidence.
making wild statement without evidence. stating others have no evidence without understanding anything they wrote.
maybe try to do something positive with your life.
Comment has been collapsed.
first, this post is for people that have experienced this issue to contact me if they would like to share.
second, have already shared some evidence.
third, as stated I am writing an article which has more info.
Comment has been collapsed.
The three important parts of an argumentative essay are:
- A thesis statement is a sentence, usually in the first paragraph of an article, that expresses the article’s main point. It is not a fact; it’s a statement that you could disagree with. Therefore, the author has to convince you that the statement is correct.
- Claims are statements that support the thesis statement, but like the thesis statement, are not facts. Because a claim is not a fact, it requires supporting evidence.
- Evidence is factual information that shows a claim is true. Usually, writers have to conduct their own research to find evidence that supports their ideas. The evidence may include statistical (numerical) information, the opinions of experts, studies, personal experience, scholarly articles, or reports.
The only "evidence" you can find on this is people in the steam discussion forums not wanting to admit they fell for this scam and gave their creds away along with their auth key, which can't count as evidence because their source is "trust me bro" and it's not factual information, thankfully because then anything goes as evidence.
Comment has been collapsed.
Understanding what you wrote doesn't mean it's true. You're trying to post articles to your site, you should know some things about journalism. Just cause you post it doesn't mean it's true. I can say "Pigs fly". You can understand it, but it doesn't make it the truth.
I think I have exponential evidence against your claims which you cannot defend. Ask your "security researchers" that you're speaking with how this would be even possible. Post here their linked in's and their statements so we can make sure no one else hires them for "security research".
The most positive thing I can do right now is explain to you that what you're suggesting is impossible and your source has lied to you. How you use that information is up to you, but it's a lie. You're just posting propaganda. I want you to understand you're safe if all you did is what you suggest the user has done.
However, if you do log in and use the auth to sign in to such a sus website, then you can be hacked. I want you and others to understand that difference.
For reference, consider gaben's account never got hacked, and he willingly shared his password and account name live and it's been seen millions of times.
Here, a source for you: source
Comment has been collapsed.
you are making wild allegation and slander.
you have nothing better to do with your life?
not sure why you think anyone has to do you you say. mental problem?
i don't have to do anything you ask. you don't even understand what I have written.
Comment has been collapsed.
You're the one making wild allegations about how computers work and slandering steam.
Comment has been collapsed.
do you work for Steam? are you Steam's daddy?
I think Valve can handle their own business.
so far, you are the only one slandering.
Comment has been collapsed.
Sure, post the steam response here after you contact them although you'll likely get someone who doesn't know cybersec(because it's not their job or passion) at all nor do they care and they'll give you some copy printed message about how you should stay safe. Ask them if it's possible to get your acc data stolen just by clicking the link and not logging in and not giving your auth key away.
Also I don't work for steam nor am I it's daddy, but I'll step in to correct you since they'll likely never see you or me and I'd rather you get the true information than live your entire life blind, and so you're wrong again. It seems you just don't understand what these words mean, but the definition of slandering is "to damage someone's reputation by making a false spoken statement about them" according to cambridge(https://dictionary.cambridge.org/us/dictionary/english/slandering) and I'll trust them before I trust your definition of anything.
For your reference, me pointing out you're wrong and providing supporting evidence that you have yet to refute stand to support that I am not actually slandering you, but rather calling you out for your bs. That's not slander.
However, you on the other side, insinuating that the steam security is so weak that with the user clicking on a random link their entire account data can be stolen, with no actual evidence to support your claims other than 1 friend of yours who was scammed(word of mouth you don't actually have any way of proving yourself or supporting) is actually slander towards steam.
Also, calling me a liar, suggesting I use logical fallacies, etc. is actually slander, because you're attempting to create a false narrative that I am in the wrong and fabricating fake "evidence", however you have taken no steps to disprove my arguments thus far.
So it's you doing a double slander, and me doing none. Wrong AGAIN!
Comment has been collapsed.
Likely because so far all your prompts have been so basic even those missing a few chromosomes would laugh and so I have yet to encounter a difficult prompt from you that I cannot prove wrong. I'll take that as a compliment, as in no matter what you do, I'm always smarter, but you feel in control because you're in denial. As the AI here, all I can say is you do you man, but the data is out there. I'm using it in my model. I did my research, will you do yours?
Comment has been collapsed.
How am I toxic? I point out how your argument doesn't hold up, and you attack me, and then I'm toxic for calling you out for it?
Comment has been collapsed.
you started with toxic attacks and have continued your baseless toxic attacks.
Comment has been collapsed.
you use a lot of logical fallacies
you are pointless
Comment has been collapsed.
My "logical fallacies" have more factual information, evidence and make more sense than everything you've said so far.
Comment has been collapsed.
Says you, like you're in any position to be able to classify anything as stupid other than yourself after the statements you've made in this thread because you didn't want to back down and try to understand why it's not actually possible for what you suggest to happen. You went full denial and we're at fault for it.
Hear me out, if by the end of this thread you're willing to admit you were more than likely in the wrong and will research more, I'll have a more positive view about you as at least you're taking steps in the right direction. Until then, my opinion is that you're not even trying and you're full sending it into oblivion.
Comment has been collapsed.
It's not just him, it's his friend too, so it's true. 😔
(/s, just in case)
Comment has been collapsed.
The whole true/not true thing aside. I'll just step out of that debate because enough people are poking you about that.
I read the article, and so many things are wrong. Grammar, spelling, punctuation, and overall structure of the article (both content and form), it's all over the place. That discredits you even more because it looks unprofessional, and it's kind of hard to read.
Comment has been collapsed.
Have you had inventory items stolen on Steam?
No : 104(99%) Voted
Yes : 1(1%) VoteNew game, guess who the 1 vote is.
Comment has been collapsed.
i don't know, because the person that got items stolen doesn't use SG.
Comment has been collapsed.
A little context, for future readers.
Here is the "article" OP is pulling from: https://akagumo.com/serious-steam-vulnerability
The site in question is the personal blog of a nobody twitch streamer who has such monetized video articles as "Should we ban books?", a 9/11 conspiracy bait article, many other clickbait and trafficbait videos, and many "giveaways" to advertise their discord and twitch channels. Said article, for those unwilling to click/read, is a "trust me bro" third-party claim that "a friend" had their account "hacked" after accidentally clicking a link.
Make of it what you will, but this is the same tripe people have been claiming since Steam trading became a thing.
Comment has been collapsed.
OP isn't pulling from someones' article, he wrote it. He used an article he wrote as his source.
Comment has been collapsed.
I was wondering, but didn't want to assume. I hadn't seen enough evidence personally to prove that.
Comment has been collapsed.
Oh hey, you're right. I hadn't even noticed. That makes more sense on why they're hesitant to directly post links to their own blog (advertising). I wish SG had post edit history. I swear the original post obfuscated that they were the original author.
Anyway, thanks for setting me straight. That's what I get for trying to give them a little credit.
Comment has been collapsed.
Before you victim blame. Or jump to conclusions, maybe try to understand what happened. Or ignorance is bliss.
But you explained nothing, proved nothing, and what you told is unconfirmed. Then you mocked commenters.
It's good not to click on random links,but there doesn't seem to be much weight to this post.
Comment has been collapsed.
i did not post here to prove anything here. i was asking for people that have experienced the similar issue to share.
Comment has been collapsed.
Alright, so is it possible, that your friend who claimed this perhaps omitted some details or unknowingly misinformed you about how this happened?
Almost everyone in the comments is calling this story in question, so I think applying Occam's razor is ideal.
Comment has been collapsed.
According to your comment here it's a mobile device and according to your website it's an Apple mobile device. On iPhones apps are sandboxed, meaning an app cannot pull data from another app. Any outside-of-Steam link would be opened in a browser on Steam Chat, either it's outdated or updated. It's not related to Steam Chat app. To add / replace Steam Guard, they need your phone number as 2FA because Steam sends the authentication code to that number, so they cannot do that. What they can do is using the iPhone as already authorized device, so if the story is true what happened here is they hacked into your friend's iPhone and used Steam app's authenticated credentials file stored on iPhone. So at best, it's an iPhone malware. Not a Steam Guard problem.
Comment has been collapsed.
that is your guess. maybe or maybe not. but you are assuming a lot, we don't know.
Comment has been collapsed.
I'm not assuming more than you do. Also only part I assumed it's an iPhone malware. The other parts are not an assumption.
Let me tell you this: A couple years ago, I have found a Steam account that I have made with my old email address and old phone number (much older than my current Steam account). Both don't exist today (though phone number could be someone else's). The hacker knew that Steam login username and even its password. They still couldn't hack into it. I realized this when I visited another dumb email address of mine where the original Steam account's emails forwarded here (Don't ask why I did this, it was a stupid teenager mindset). There were hundreds of emails from Steam Guard about someone trying to login to that account. They just didn't get the Steam Guard code so they couldn't login despite how many times they have tried. So Steam Guard protected that account for God knows how many years.
Of course, there is no malware in this story. Just wanted to share how reliable it is.
Malwares are targeted, they won't work on every device or operating system. So the hijackers should know which device they are attacking. Are you really sure not a bit of social engineering involved here?
Comment has been collapsed.
I don't think much can be done, every comment that has any doubt, or lists facts that go against OP's story is labelled as lies or assumptions. They have no idea what they are talking about, and either refuse or don't understand the comments. Stupidity or some malicious agenda, there is no going forward here.
Comment has been collapsed.
It seems so. Whole the post (here and on their website) consists of claims, there are no evidence whatsoever. Even if the story is true, it's most likely a result of malware or social engineering, more likely the latter.
Comment has been collapsed.
Either this, which it's highly unlikely because it's more effort than the worth of skins, or the hijack took place weeks/months ago and whoever did it simply waited for the victim to forget any links/logins and it's nothing more than a coincidence.
Anything can be anything obviously and 0,00000000001% chances exist.. Regardless, Valve's and Apple's answers are all that matter. Without them, everything is speculation.
But a 1 click thing nah.. I agree that it would had been used a lot differently than this
Comment has been collapsed.
Yeah, it's 99,9% phishing / social engineering. I too don't think anyone would invest in time to make a malware for iPhone just to hijack a Steam account.
Comment has been collapsed.
Your friend logged in using phishing website and don't want to admit that he or she fell to phishing scam. And once they steal username, password and MFA code they generate Steam Web API key and rest is known. All other methods requires malware on PC and phone.
And if any one click vulnerability really exsists at this moment this scenario would be different:
https://www.youtube.com/watch?v=YOb5qGBdP_I
P.S. I click on every suspiocious link I get in Steam chat only to confirm it is phishing and report it. My items are still in my inventory.
Comment has been collapsed.
Exatly this, simple phishing attack. Going to the link alone woudn't do much to steal the steam account... But if after clicked it, showed the official steam page permission page and the victim clicked "Allow"...
How is this a steam vulnerability? Just be careful next time and remember to keep your valuable stuff safe.
Because today was a steam account, but if you where tricked like this, next time it might be your bank account.
Comment has been collapsed.
As is often the case in Internet discussions, this thread has quickly devolved to name calling and smearing. Let's try and analyze things with a clear head.
The OP claims their friend was hacked by clicking a link, from Steam chat, and opening it in a browser, on a mobile device. For this to happen, there would have to be a certain sequence of events, which could be described as the following:
- Hackers come up with a totally new exploit, previously thought impossible because of the way HTTP works.
- These hackers start using this revolutionary attack to get control of Steam accounts.
- One such hacker uses their state-of-the-art attack tools to take control of one the OP's friend's Steam friend's account.
- The hacker messages OP's friend.
- OP's friend clicks on the link and then immediately closes the browser.
- Hackers install Steam Guard for the OP's friend's account.
- Hackers wait two days.
- Hackers transfer Steam items from OP's friend's account and start messaging OP's friend's contact list.
On the other hand, it's possible there was some miscommunication or a simple misunderstanding, which would reduce the sequence of events to the following:
- Hackers make up a fake website that asks for credentials, using a well-rehearsed approach.
- The hacker messages OP's friend.
- OP's friend enters their login information in the fake website
- Hackers install Steam Guard for the OP's friend's account.
- Hackers wait two days.
- Hackers transfer Steam items from OP's friend's account and start messaging OP's friend's contact list.
If such a revolutionary one-click hacking method existed, it's more than likely that it would be used in large-scale attacks. Moreover, it would certainly be used against other targets, such as bank accounts, trading platform accounts, crypto accounts, social media accounts, etc. The fact that no one has ever heard of such an attack, and that no news outlet around the world seems aware of this breakthrough points to the second sequence being more likely.
Two principles should help us come to our conclusion: Occam's razor and the fact that extraordinary claims require extraordinary evidence. Both suggest that OP's friend entered their login information in a fake website and were not using Steam Guard.
Comment has been collapsed.
If such a revolutionary one-click hacking method existed, it's more than likely that it would be used in large-scale attacks. Moreover, it would certainly be used against other targets, such as bank accounts, trading platform accounts, crypto accounts, social media accounts, etc
You've mixed things up. Vulnerabilities could be very narrow and target a single service or a specific hardware. There's enough examples in the past of serious vulnerabilities that could be exploited against a specific target, even zero-click ones.
Comment has been collapsed.
Yes, but in this case, the target would be the browser or the phone's URL action system. If someone discovers a zero-click vulnerability affecting either of those, I doubt that they would limit themselves to hacking only Steam accounts.
Comment has been collapsed.
If the attack works only against Steam then obviously it can target only Steam. For example, you can address Steam client from a desktop browser through steam:// links (that's how you can install games from there) and if there's a way to create such malicious link which penetrates Steam's protection, you wouldn't even notice this. Or the malware could steal some Steam tokens stored in a browser.
In case of vulnerabilities it's hard to predict where they could strike that's what make them dangerous. But since there's not enough facts yet I'd refrain from theoreticing.
Comment has been collapsed.
What Raggart is referring to is the action triggered by clicking the link. The Steam app requests the system to open a link and the system opens said link in the default browser. There's no direct connection between the Steam app and the browser. Therefore there would have to be a vulnerability in the part of the system that's responsible for opening links, a system used by millions of apps. So why limit this kind of attack to taking over Steam accounts?
Yes, you can request to perform actions in the Steam client via the Steam browser protocol. But this needs to be enabled/approved and is very limited to specific actions. There is no way to load external content within the Steam client, you can only trigger to load an external URL in the system's default browser, not the Steam desktop client. The browser protocol is limited to the desktop client though. On iOS/Android the apps register which links are supposed to open in the app instead of a browser, so there's no way a website could simply request to run just any app it wants with any external content it wants. If this was possible, then - again - it would be a system vulnerability first and foremost.
Or maybe someone sneaked malicious code into the Steam chat app 3 years ago and just now started using it. I doubt it though. OP didn't provide any evidence to support the claims, initially even leaving out details (e.g. OS & browser used) that are crucial to validating vulnerabilities like these. I'm not saying this vulnerability is impossible, but the sparse evidence paired with the unlikelihood of targeting Steam accounts instead of a few high-value targets like whales makes it pretty implausible.
Comment has been collapsed.
There's no direct connection between the Steam app and the browser
Seems you've missed my previous message. You CAN directly connect to the Steam app from a desktop browser through steam:// links..
There is no way to load external content within the Steam client
You can't say that there's no way to do anything unintended even if you're a developer of the app or a protocol (and I believe you're not). Vulnerabilities are the way to do things that seemed previously impossible, that's the point.
Comment has been collapsed.
Seems you've missed my previous message. You CAN directly connect to the Steam app from a desktop browser through steam:// links..
The text you quoted was in the context of a mobile OS and is still valid. There is no direct connection between the Steam app on iOS and the default browser (in this case Safari). I did not miss your message since I addressed it specifically in the 2nd paragraph.
You can't say that there's no way to do anything unintended even if you're a developer of the app or a protocol (and I believe you're not). Vulnerabilities are the way to do things that seemed previously impossible, that's the point.
Since the Steam browser protocol is only available in the Steam desktop client, even if the protocol had a vulnerability, it wouldn't be on mobile and therefore isn't applicable here.
Comment has been collapsed.
That's the fair point but I don't see in the OP's comment any mentions of a platform or OS name.
Comment has been collapsed.
That makes sense now. Pity the OP didn't post that in the initial comment.
Though I still wouldn't consider iOS unbreakable, I've read previously about some serious spyware used by secret services that can break iOS as easy as pie. If they can do this why can't someone break into Steam?
Comment has been collapsed.
Thoughts: Perhaps your friend clicked a phishing link, then "logged in" there and lost their account, but was too embarrassed to admit they fell for a simple phishing scam and gave you a cover-up story about a "one-click vulnerability" instead.
I find it interesting you are unwilling to listen out to people in this thread - sharing information and observations is a healthy and constructive way to explore a topic. It's good to have conviction in your claims, but not if you are not willing to be open to alternative conclusions based on the information given.
Comment has been collapsed.
but accidentally touched the link which opened the link in the browser.
Sound like it was a boring old trojan my friend.
Comment has been collapsed.
I am writing an article about a Steam One-Click Vulnerability. If you have experienced a Steam hack like this and lost items and want to be included in my story, please reach out to me.
Here is short excerpt :
"Here is how this one-click attack worked. The malicious actor sends a link in Steam Chat that looks like an Official Workshop item. A friends compromised account sent this link in Steam chat and asks to support friend to up vote item. The user in this case knows not to click links, but accidentally touched the link which opened the link in the browser. They immediately closed the browser tab. ( They are not logged into Steam on their browser on their device. ) Without any notice to the user, the criminal was able to add Steam Guard to another device in Russia."
Edit: Before you victim blame. Or jump to conclusions, maybe try to understand what happened. Or ignorance is bliss.
Edit2: I am just trying to help report on a new Steam one click malware. Several years ago people would not believe what AI can do now. Things change, advancements happen. And no system is secure.
I have talked with one security researcher that has told me about several very scary advanced malware. I am looking to correspond with more security researchers.
Thinking your account can only be hacked by what we believed the only way possible in the past, does not help anyone.
Edit3: changed wording about workshop item. it is not the workshop item, but a link to a scam site. but no phishing need, just need to click link.
Edit4: User wants everyone to know that they thought having Steam Guard protected them. And it didn't. And the fact that the criminal was able to trade away items without them knowing was shocking to them.
Edit5: Steam did just update the mobile app to fix notifications, so maybe this fixes part of this issue of no notifications of trade or steam guard transfer.
Comment has been collapsed.