All Discussions > Steam Forums > Steam Discussions > Topic Details
Adam Beckett Apr 10, 2024 @ 9:20am
Security Issue: In-Game URL redirecting to phishing sites
I just stumbled over a peculiar issue.

The (now older game) WH40K Battlefleet Gothic Armada - AppID 363680 - has an in-game "Get Help" button.

Clicking on it offers a "game guide" option.

Clicking on THAT opens a website inside the Steam Client with a video player.

https://networkpccontrol.com/video-player-1/?clickid=cob556e071bc73d3bang&domain=baseclickflow.com

That video player has a pop-up overlay, preventing any video autoplay, instead asking the the user to click on it with a text ""Install Ad Blocker ... for privacy ..." something, something (only user option) ... which would trigger a URL from the domain.

gameclickflow [.] com

... which - according to ICANN DNS lookup is something based in Iceland, and all other information about this domain is locked behind 'privacy' settings (that's clever). Google does not offer any more information about that website.

Thankfully, DNS Servers do not 'know' this website any longer (defunct).

------

Which led me to think of all the games that have in-game URLs which will trigger Steam's internal browser (powered by Google Chrome/Chromium) or external browsers to start.

In these cases - in game URLs - the Steam Forums "You are exiting Steam" warning is NOT triggered.

Many games only link to YouTube videos, which will open the Steam integrated Chromium Web Browser - no big deal.

But what about the games - especially the old games - which have links to old URLs, where the Domain has expired or - and that's the real issue - have been bought and are now referring to phishing sites or malware?!

I know, this cannot be an easy thing to fix. Maybe impossible. Old games with URL links inside their in-game UI are not transparent and cannot be 'blocked' easily.

Yet, this is - one of many - security issues, which are real and will only increase over time?

But, this is neither transparent, nor smart, nor any in-game clicks triggering URL websites (= anything outside the game) should be 'best practice' for any dev or publisher ... unless their main income is web ad sales???
Last edited by Adam Beckett; Apr 10, 2024 @ 9:24am

Something went wrong while displaying this content. Refresh

Error Reference: Community_9745725_
Loading CSS chunk 7561 failed.
(error: https://community.fastly.steamstatic.com/public/css/applications/community/communityawardsapp.css?contenthash=789dd1fbdb6c6b5c773d)
Showing 1-5 of 5 comments
Chika Ogiue Apr 10, 2024 @ 9:26am 
Not the first time something like this has been a problem. There was a 2-D Half Life game (Codename: Gordon) that ultimately ended sending people to porn sites when its in-game URLs expired. In the end, Valve pulled it from the store.

If you have concerns with such a game try contacting the developer/publisher and/or Steam support.
#1
Adam Beckett Apr 10, 2024 @ 9:29am 
Originally posted by Chika Ogiue:
Not the first time something like this has been a problem. There was a 2-D Half Life game (Codename: Gordon) that ultimately ended sending people to porn sites when its in-game URLs expired. In the end, Valve pulled it from the store.

If you have concerns with such a game try contacting the developer/publisher and/or Steam support.

I remember reading about that, too.

Luckily, in the case above, the URL is defunct = will cause no harm.

I just have to adjust my brain to accept that 'video games' - once you are 'inside' them - are no longer safe from making you click on stuff that can trigger the same risk, as clicking on websites, instead of your gun trigger.

Imagine 'hidden URLs' in-game, which would trigger browsers running in the background (without you leaving the game or noticing) and then automatically downloading malware. Possible. Frightening?
#2
RiO Apr 10, 2024 @ 5:44pm 
Originally posted by Adam Beckett:
Imagine 'hidden URLs' in-game, which would trigger browsers running in the background (without you leaving the game or noticing) and then automatically downloading malware. Possible. Frightening?

One of the reasons you should be weary of games that use their own launchers as well.
Private little gateways to malware hell if the hold on the domain expires and it's squatted.

Or worse- launchers that perform their own patching and download unverified payloads without any kind of signing check.
#3
ペンギン Apr 10, 2024 @ 7:40pm 
One reason to not use the Steam overlay:

https://gameindustry.eu/blog/steam-overlay-as-tracking-tool/

In this regard, the overlay function should actually be banned for all times. It's insecure, intransparent and is partially abused by publishers and devs, especially because there is no AdBlock and everything is unfiltered.

And else an older example

https://steamcommunity.com/sharedfiles/filedetails/?id=2105597382

Valve Softworks/Corporation could clearly do a lot more but they are only effective when it comes to new restrictions for end customers. As it is, and without the sites being checked for validity, it's up to the respective providers, as always. It's not even a security vulnerability.

The problem lies more in the fact that inconsistent filter rules (CSP (Content Security Police)) and Chatfilter exist on this platform with regard to white/blacklists which are designed according to their own profit interests. The HTML Ttitle tags are also not displayed for all links. This is currently only for some functions such as social networks. The same applies to chats with the associated inconsistent automatic formatting.

Users are only safe here if they have deactivated Javascript and disabled Steam overlay and even then there are still enough other things active such as Paypal Tracker, Google DoubleClick, Playstore Logging and other things.

Only solution? Not allow outgoing links. But since the entire advertising appraisal, inclusive YouTube is built on it, this will never happen. Steam is still a money printing and advertising machine.

This was even clearly visible with the first public release of the chat filters, as there were various trading pages in the filter lists of Valve, which made profit without paying the usual fee to the platform.
Last edited by ペンギン; Apr 10, 2024 @ 8:53pm
#4
SLG Apr 11, 2024 @ 4:23am 
Do you mean this game: https://steamcommunity.com/app/363680/discussions/ ?

If yes, you should ask there.
#5
Showing 1-5 of 5 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Discussions > Topic Details
Date Posted: Apr 10, 2024 @ 9:20am
Posts: 5
Start a New Discussion

Discussions Rules and Guidelines