aixvaras Jul 19, 2023 @ 3:43pm
config.vdf scam?
Hey, so basically a friend contacted me via Steam, asking for help. His "issue" was that his cs was bluescreening his PC, and over a bit of chit-chatting he said, that he saw a guide somewhere and that he needs a friend's config.vdf file. I was stupid, and said sure, I noticed loginusers.vdf, took a look at it and took it out of the folder because it contained strings of accounts connected from my computer. However I didn't notice the biggest config.vdf, and after I sent it, I looked at it.

After realising I told all my friends to change their passwords, and so did I. I unauthorized all devices, changed my password, and removed and added mobile authenticator again.

Am I at risk?

p.s. yes, I know it was stupid of me to do that, I'm looking for answers, not ridicule.
< >
Showing 1-8 of 8 comments
Carlos100 Jul 19, 2023 @ 3:48pm 
You should be safe after you did what you did
Did you make sure it was your real friend that sent the message (they could have already been compromised and it was the hijacker that messaged you)
I dont know what file that should be,
but he just needed a file from steam to repair something. Not from soneone else.

So this doesnt make sense. And looks very suspicious.

What was the path in the steam folder of that file?
I see that is how they get your account name from loginusers.vdf

Originally posted by Muppet among Puppets:
What was the path in the steam folder of that file?
\Steam\config
Originally posted by Wynters:
I see that is how they get your account name from loginusers.vdf
All account names.

-
I suggest to be carefull in the future to not give anything away anymore, nothing. Could be a follow up that in combination would do more than the single thing it appears to be.
And not trust emails even if they contain account name.
Azure Fang Jul 19, 2023 @ 6:28pm 
I would report your friend's account as compromised. If it's an IRL friend, confront them directly to see if it was actually them.

There is nothing in config.vdf that would help with the issue described. Config.vdf contains the following potentially sensitive information:
  • The filename and location of the sentry files for all Steam accounts used on your client
  • The account names for all accounts used on your client
  • The decryption keys for the installers of every game you've ever downloaded (I can't believe these are plaintext, even on a local file)
  • And a number of other sundry configuration keys
The first two could be used in the future as an attempt to scam you, via appearing like someone communicating with you has private information about your account and PC (technically, now, they do). The third can be used to decrypt Steam game installers. The fourth includes a ton of normally innocuous fields, but could give a scammer an edge in acting like they know about your account and PC.

Going forward, be extra wary of anybody contacting you via Steam, Discord, or any method other than via Steam Support's ticket system; Valve will never contact you outside of official e-mails and the ticket system, and you should even be extra sure of any e-mails as now scammers can tailor extra-realistic fakes for you and e-mail addresses aren't exactly private. There's nothing in the file (aside from the decryption keys) that they can actively use against you, but they CAN try to appear extra legit in future scam attempts and they CAN use your account name to login-bomb you (keep attempting to log in to try to lock you out of login attempts).

Never give away a Steam .vdf file.
aixvaras Jul 19, 2023 @ 10:41pm 
Originally posted by Carlos100:
You should be safe after you did what you did
Did you make sure it was your real friend that sent the message (they could have already been compromised and it was the hijacker that messaged you)
I mean I’m from Europe, and that friend was writing in my language, in his usual speaking manner, so I didn’t notice anything suspicious. Maybe his account was compromised. Thanks!
aixvaras Jul 19, 2023 @ 10:42pm 
Originally posted by Muppet among Puppets:
Originally posted by Wynters:
I see that is how they get your account name from loginusers.vdf
All account names.

-
I suggest to be carefull in the future to not give anything away anymore, nothing. Could be a follow up that in combination would do more than the single thing it appears to be.
And not trust emails even if they contain account name.
Yeah, since now if I’m going to do something related to sending a file, i’m going to scan the entirety of it. I can’t imagine how I could get phished. Things happen
aixvaras Jul 19, 2023 @ 10:44pm 
Originally posted by Azure Fang:
I would report your friend's account as compromised. If it's an IRL friend, confront them directly to see if it was actually them.

There is nothing in config.vdf that would help with the issue described. Config.vdf contains the following potentially sensitive information:
  • The filename and location of the sentry files for all Steam accounts used on your client
  • The account names for all accounts used on your client
  • The decryption keys for the installers of every game you've ever downloaded (I can't believe these are plaintext, even on a local file)
  • And a number of other sundry configuration keys
The first two could be used in the future as an attempt to scam you, via appearing like someone communicating with you has private information about your account and PC (technically, now, they do). The third can be used to decrypt Steam game installers. The fourth includes a ton of normally innocuous fields, but could give a scammer an edge in acting like they know about your account and PC.

Going forward, be extra wary of anybody contacting you via Steam, Discord, or any method other than via Steam Support's ticket system; Valve will never contact you outside of official e-mails and the ticket system, and you should even be extra sure of any e-mails as now scammers can tailor extra-realistic fakes for you and e-mail addresses aren't exactly private. There's nothing in the file (aside from the decryption keys) that they can actively use against you, but they CAN try to appear extra legit in future scam attempts and they CAN use your account name to login-bomb you (keep attempting to log in to try to lock you out of login attempts).

Never give away a Steam .vdf file.

I myself was surprised to see decryption keys in that file, but I mean those files are supposed to be not touched. Yeah, valve could care a bit more, but if you don’t ♥♥♥♥ around, you don’t find out.
< >
Showing 1-8 of 8 comments
Per page: 1530 50

Date Posted: Jul 19, 2023 @ 3:43pm
Posts: 8