They could make it so each website requesting your API has to list of what access they want from it. This way you'll know if it's trying to access more than it needs. Twitch & Twitter already has this feature plus if the site happens to update their required information needed then you'll be pinged next log in to confirm the changes.

Originally posted by SonicUnleashedXY:

They could make it so each website requesting your API has to list of what access they want from it. This way you'll know if it's trying to access more than it needs. Twitch & Twitter already has this feature plus if the site happens to update their required information needed then you'll be pinged next log in to confirm the changes.

(A) You don't log into Steam via phishing sites. The "site" itself does with the data you input and then shows you whatever it wants.
(B) Because scammers are known to be trustworthy to not lie to you and the sites are not throwaway so they can be blocked effectively?

In case the OP tries this counter argument, I’ll just state the obvious.

“But they’re not scam sites! They’re -“
Let me just stop you there. They’re scam sites - all of them. Work by that principle and your chances of getting phished drop dramatically.

Originally posted by Leppie:

It has proven to be very easy to change all security settings through the API once 1 valid token has been received from the authenticator.

Allow me to ask, as usual

Citation Needed[xkcd.com]

https://steamapi.xpaw.me/

Feel free to cite which part of the steamAPI allows this

You need 2 tokens to fully hijack an account, one to log in, two to remove the phone number. After that you add your own and then take the account over. You don't need the steam api for this. and victims often put in mutliple codes because the site fakes a 'failed' login

There is no reason to allow security settings through the api, and this token issue needs to be fixed as well. Plus, there needs to be some way in which an account owner can track down a hijacked account and retake it, no matter what phone number is given or replaced. This should only be used in the steam client itself, with lots of security and a paper trail to boot. Also a way for the original phone number to at least be preserved.

Further, does changing passwords and using hard to guess passwords help in security?

Originally posted by gino costa:

Plus, there needs to be some way in which an account owner can track down a hijacked account and retake it, no matter what phone number is given or replaced.

Well first its called " stop logging into scam websites because you want free games/knives/etc"

Second, there is a way

https://support.steampowered.com/kb_article.php?ref=2268-EAFZ-9762

Its called contacting support

Further, does changing passwords and using hard to guess passwords help in security?

Not really because the #1 way people get hijacked is phishing, which means a 10,000 character password is pointless if you simply give the keys away to your vault to the homeless hobo behind the dumpster at BestBuy

Originally posted by Satoru:

Originally posted by Leppie:

It has proven to be very easy to change all security settings through the API once 1 valid token has been received from the authenticator.

You need 2 tokens to fully hijack an account, one to log in, two to remove the phone number.

Nope, only 1 is required to do the above.
But Valve surely wants you to believe that you need a bunch of codes to change the settings.

If this would have been true:

Originally posted by Satoru:

You need 2 tokens to fully hijack an account, one to log in, two to remove the phone number.

Then with the below you are only building a case against yourself:

Originally posted by Satoru:

Well first its called " stop logging into scam websites because you want free games/knives/etc"

Because if you really did need several tokens to log-in and change account security settings, then logging in on a website, even potentially malicious ones, would not make a difference at all apart from them being able to see some of your personal details if you entered them.

Originally posted by Leppie:

If this would have been true:

Originally posted by Satoru:

You need 2 tokens to fully hijack an account, one to log in, two to remove the phone number.

Then with the below you are only building a case against yourself:

Originally posted by Satoru:

Well first its called " stop logging into scam websites because you want free games/knives/etc"

Because if you really did need several tokens to log-in and change account security settings, then logging in on a website, even potentially malicious ones, would not make a difference at all apart from them being able to see some of your personal details if you entered them.

No he is just experienced enough to know that the sites ask for multiple codes usually by claiming the first one didn't work and you need to provide a second.

And again you keep “saying” this is possible

CITATION NEEDED

https://steamapi.xpaw.me/

Show me the API call that allows this

Shouldn’t be too hard right?

You keep saying it’s “proven”

Prove it

Originally posted by Count_Dandyman:

No he is just experienced enough to know that the sites ask for multiple codes usually by claiming the first one didn't work and you need to provide a second.

He actually doesn't as he has no personal experience with this, so all he is claiming here is hearsay.

Originally posted by Leppie:

Originally posted by Count_Dandyman:

No he is just experienced enough to know that the sites ask for multiple codes usually by claiming the first one didn't work and you need to provide a second.

He actually doesn't as he has no personal experience with this, so all he is claiming here is hearsay.

Right so those of us who have seen dozens of times in the last week alone people talking about it and know exactly how it works and what they need to do to ensure all access to their accounts is removed know nothing while you who makes empty claims and still hasn't shown any citation do.

Yeah I suggest you stay away from this thread until you do some basic research.

The API can not be used in that way. Peope are phished and give away their information, then it is used on the Steam site or with the Steam app, where such changes can be made.

Originally posted by Leppie:

Originally posted by Count_Dandyman:

No he is just experienced enough to know that the sites ask for multiple codes usually by claiming the first one didn't work and you need to provide a second.

He actually doesn't as he has no personal experience with this, so all he is claiming here is hearsay.

Again here is the entire SteamAPI call stack even the undocumented stuff

https://steamapi.xpaw.me/

Tell me which API call you can use to do what you claim

That's it. What is the API call you claim can do this

You can keep saying "I dont know anything" but you seem to refuse to provide the BASIC PROOF of your statement despite being provided a convenient web based list of the entire WebAPI which you continue to refuse to reference

You wanna prove me wrong?

You gotta PROVE IT.


Currently the only thing the API call is being used to exploit is

1) User gets a trade
2) API call intercepts the incoming trade
3) API can look at the contents and the user being traded from
4) API cancels trade
5) The bot impersonates the user and the trade in a new trade
6) Bot sends this 'new' trade to the user which looks identical to the old one
7) User goes onto their device and sees the pending trade and authorizes it
8) items are traded to scammer

This is the ONLY known 'exploit' using the API key



So if you're going to tell me something you better PROVE ME WRONG

YOU claim the API key can be used to change your password

PROVE IT

I have seen and known about security that would blocks account hjjacking even if someone logs into a bad site (I never have and have never had any problems as a result). Valve really needs to beef up their security, as well as make it easier for someone to recover a hijacked, or suspected hijacked, account, as well as give them support options if they need it. Also, please allow me to have the Steam guard utility installed, with the same codes, on my phone as well as my tablet - in other words, more than one device. They could limit it to two devices maybe, but allow two. That way the disaster of a missing or nonworking device is avoided, as well as giving the legitimate user the ability to remove working security from a missing or stolen device and redo their security. There is no reason that only one token should work to change an account; it should take several, and it should be easy for the user to prevent a hijacking, or to recover from one. Yes, I know I sound like 'pie-in-the-sky', but it is absolutely doable. As an example, look at how Steam requires verification when logging into Steam from a 'new device'. I'm sure this is easily bypassed, but this should not be. And in the case when someone illegally changes an account's email (should also be recoverable if the legittimate user logged onto a bad site, for example) Steam Support should be quick to help.

Thank you