Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Discussions Rules and Guidelines
Report this post
OP's steam account got compromised isn't because of the link, but whatever the suspicious bot did to their discord has allowed them to steal their browser cookies.
It's possible to hijack a Steam account by using a remote-login token exploit -- https://www.reddit.com/r/discordapp/comments/vvnk19/the_recent_discord_hack_issues_make_use_of_an/?rdt=45905
A more technical security explanation of how it works, from Sophos (2021) -- https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/
And the really big brain technical explanation, with fixes, from MITRE/ATT&CK -- https://attack.mitre.org/techniques/T1134/
Never say "never" when it comes to bad actors. They specialize in making software do what it's not intended to do by making it do exactly what it's designed to do. Discord isn't the only platform being used as a deployment vector, neither is Steam.
EDIT: Also, it's 2024... who the hell still uses Discord?
The third link is technical stuff.
The second link is interesting. They mentioned that
The token loggers steal tokens for steam.. but what token? It couldn't possibly be steam account's credentials because steam won't share it with Discord.
- your steam login credentials will not be shared
- a unique numeric identifier will be shared with xyz, Through this, xyz will be able to identify your steam community profile and access information about your steam account according to your profile privacy settings
- any information on your Steam Profile page that is set to be publicly viewable may be accessed by xyz.
By clicking "Sign In" you agree to this data being shared.Steam also uses the same safeguard linking for other 3rd parties sites, not just Discord. For discord hackers to successfully pawn a linked steam account inside them would also imply that every other safeguard 3rd party link that steam offers is at risk.
Yeah, sorry about that. Never been one to turn down a really good IT rabbithole.
Steam installs a tracking pixel by default, "steam.png", at C:\Program Files\WindowsApps\Microsoft.GamingApp_2312.1001.18.0_x64__%PUBLISHERID%\Assets\LinkedAccountsBranding - that's the official version, according to Steam Support. In some cases, there may also be one named "steam@2x.png", the unauthorized version.
Also, Steam installs via Administrator rights even if you do it with user level privileges. This allows for an additional escalation to install system-level files and DLLs, including a text file called "VulkanEULA.txt", which the user typically wouldn't notice unless they had a reason to go looking. Can't remove them through normal access means, and in some cases they've overwritten the original OS versions so they can't be removed at all.
Then there's the reality that we're accessing Steam's services through a Windows 7 DOM, with vulnerabilities like CEF, WebClient leaks and other fun deprecated exploits that defeat the purpose of "as of January 1, 2024, Steam will only be compatible with Windows 10 or higher." Normally this would be seen as a user-side issue, and it should be, except Microsoft backported Win10 functionality to Win8/8.1 and Win7 around mid-2018.
By default, the Steam Client Services folder is a RAT named "~nsu.temp". Valve doesn't have to "share" your data, they've already allowed whatever's on Microsoft's webservers to piggyback directly into your machine at the system level.
I'm probably simplifying things a bit, but either way the whole setup is less secure than a screen door hatch on a submarine. Even less so than when Valve got busted for the SteamChina spyware incident in 2021.
If it exists, it can be compromised. API, TLS, stuff like that is child's play.
EDIT: CSS is why I troubleshoot, I don't code.
Still, I'm having a hard time processing all this because I'm always under the impression that 3rd party link is fairly safe. I understand the idea that no system is safe, but idk that the issue is as big as you said.
Say, if someone got their steam account hijacked with this method, aren't they eligible for a refund/unban? Their discord getting hijacked is their fault, but for their steam to also get hijacked from only linking it isn't their fault, imo.
No worries, it's all good.
Third-party links are a really old trick, you can spoof a legitimate link using HTML or use a URL that looks similar enough to easily overlook the difference (typosquatting). The key is knowing your target audience, a perfect example being the "$50 CS:Go gift card" phishing scam that pops up regularly in Steam Group Chats.
With Discord, a lot of users are also heavy YouTube content consumers... many of whom are old enough to know that watching online pirated movies is a bad idea, but not old enough to know about streamjacking or how it works.
Third-party apps operate similarly to links, they can direct the connection to a webserver which runs the services being accessed. It's much more difficult to detect an attack because it relies on observation, and most users will chalk the problem to incompetent programmers -- instead of webserver-side issues.
Which is how the Discord app can compromise users' devices so easily. Old enough to learn, not old enough to understand the importance.
No, they're not eligible. Valve is only responsible for providing Steam's services, the user is responsible for whatever happens with their account. Food for thought: if a user's account gets hijacked and the third-party posts illegal content (the "FBI OPEN UP!" kind of illegal content) on said account, that's also on the user who now has to prove it wasn't them.