Alright, long story short, some guy messaged me about advertising their roulette site "tf2crew", and I thought oh lol lets waste his time etc, so I talked to him. Just out of curiosity, I visited their website IN A INCOGNITO WINDOW and did not put in any of my credentials for my Steam Account. Mind you this was a month ago.
Fast forward to now, I turn on my pc and see a chatlog that I did not write. My username and bio was changed aswell. Chatlog in spoilers.
Now I do not know how the fuck they got in, because I have 2FA enabled on my account and I did not get a notification. I changed my Steam password and scanned my PC, everything is fine.
Be wary, friendos.
Show Content
[23:19]
Haris: hello?
[23:19]
eggded: hey so sorry to add you but i have a question
[23:19]
Haris: yes?
[23:19]
eggded: there is a person who says that you have used a service of theirs and they say that you can withdraw one unusual
[23:20]
Haris: ah it's about adverting yeah
[23:20]
eggded: i think they're just listing random tf2crew people is it legit?
[23:20]
Haris: yea
[23:21]
eggded: really? withdrawing an unusual for free?
[23:21]
Haris: yeah , the first time you receive in 1 day, then every 7 days
[23:22]
eggded: oh cool which ones did you get?
[23:22]
Haris: I only received 2 times, but already sold on the marketplace. Bought games at sales xD 1 taunt and 1 pile of hat
[23:23]
eggded: nice
[23:23]
Haris: yap
[23:23]
eggded: im just scared because it sounds very sketchy
[23:23]
Haris: do not worry , it's legit
[23:26]
eggded: ok thank you for your help
[23:29]
Haris:no probleme m8
Alright, long story short, some guy messaged me about advertising their roulette site "tf2crew", and I thought oh lol lets waste his time etc, so I talked to him. Just out of curiosity, I visited their website IN A INCOGNITO WINDOW and did not put in any of my credentials for my Steam Account. Mind you this was a month ago.
Fast forward to now, I turn on my pc and see a chatlog that I did not write. My username and bio was changed aswell. Chatlog in spoilers.
Now I do not know how the fuck they got in, because I have 2FA enabled on my account and I did not get a notification. I changed my Steam password and scanned my PC, everything is fine.
Be wary, friendos.
[spoiler][23:19]
Haris: hello?
[23:19]
eggded: hey so sorry to add you but i have a question
[23:19]
Haris: yes?
[23:19]
eggded: there is a person who says that you have used a service of theirs and they say that you can withdraw one unusual
[23:20]
Haris: ah it's about adverting yeah
[23:20]
eggded: i think they're just listing random tf2crew people is it legit?
[23:20]
Haris: yea
[23:21]
eggded: really? withdrawing an unusual for free?
[23:21]
Haris: yeah , the first time you receive in 1 day, then every 7 days
[23:22]
eggded: oh cool which ones did you get?
[23:22]
Haris: I only received 2 times, but already sold on the marketplace. Bought games at sales xD 1 taunt and 1 pile of hat
[23:23]
eggded: nice
[23:23]
Haris: yap
[23:23]
eggded: im just scared because it sounds very sketchy
[23:23]
Haris: do not worry , it's legit
[23:26]
eggded: ok thank you for your help
[23:29]
Haris:no probleme m8
[/spoiler]
dont ever click half-baked links
EVER, dont test them, dont preview them, just remove.
dont ever click half-baked links
EVER, dont test them, dont preview them, just remove.
serious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.
serious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.
JWBserious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.
yeah thats what is tripping me out aswell. even if they did get my password and username, how the fuck did they bypass 2FA???????
[quote=JWB]serious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.[/quote]
yeah thats what is tripping me out aswell. even if they did get my password and username, how the fuck did they bypass 2FA???????
since u said there was a gap of a month, are you sure it wasnt something totally different that caused your account to get compromised?
since u said there was a gap of a month, are you sure it wasnt something totally different that caused your account to get compromised?
JWBsince u said there was a gap of a month, are you sure it wasnt something totally different that caused your account to get compromised?
nah, i read the conversation that i put in the spoilers and recalled that i had a similar one with the same tf2crew thing. i have done nothing else on my pc or steam account, so that can be the only one
[quote=JWB]since u said there was a gap of a month, are you sure it wasnt something totally different that caused your account to get compromised?[/quote]
nah, i read the conversation that i put in the spoilers and recalled that i had a similar one with the same tf2crew thing. i have done nothing else on my pc or steam account, so that can be the only one
JWBserious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.
If you log into a site, the site is given an "access token" that acts as "you". This can be used to make API requets that can change your avatar, change your username, or whatever you desire.
Not sure specifically how steam API works (as I usually only work with Discord or Auth0's implimentation), but this is usually how most OAuth2 apps work, including steam.
[quote=JWB]serious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.[/quote]
If you log into a site, the site is given an "access token" that acts as "you". This can be used to make API requets that can change your avatar, change your username, or whatever you desire.
Not sure specifically how steam API works (as I usually only work with Discord or Auth0's implimentation), but this is usually how most OAuth2 apps work, including steam.
perhaps there's a gas leak in your house and you did write those messages but just don't remember??????
perhaps there's a gas leak in your house and you did write those messages but just don't remember??????
seems like they are trying to impersonate TFCrew, the dead youtuber group
seems like they are trying to impersonate TFCrew, the dead youtuber group
TailorTFperhaps there's a gas leak in your house and you did write those messages but just don't remember??????
why would you even suggest that this is a reason, if you dont mind me asking? so fucking weird.
[quote=TailorTF]perhaps there's a gas leak in your house and you did write those messages but just don't remember??????[/quote]
why would you even suggest that this is a reason, if you dont mind me asking? so fucking weird.
BrockTailorTFperhaps there's a gas leak in your house and you did write those messages but just don't remember??????
why would you even suggest that this is a reason, if you dont mind me asking? so fucking weird.
reddit
[quote=Brock][quote=TailorTF]perhaps there's a gas leak in your house and you did write those messages but just don't remember??????[/quote]
why would you even suggest that this is a reason, if you dont mind me asking? so fucking weird.[/quote]
reddit
BrockTailorTFperhaps there's a gas leak in your house and you did write those messages but just don't remember??????
why would you even suggest that this is a reason, if you dont mind me asking? so fucking weird.
/s bro chill
[quote=Brock][quote=TailorTF]perhaps there's a gas leak in your house and you did write those messages but just don't remember??????[/quote]
why would you even suggest that this is a reason, if you dont mind me asking? so fucking weird.[/quote] /s bro chill
Basically, these scams have been around since the first nude was sent over the pipe.
They have been using bolder and different approaches though. You kind of have to not have a life to keep up with it, so don't feel too bad people who have more time on their hands are a little bit more aware of the meta in scamming. Times change. People don't. There is just more scammers out there now and you gotta deal with it.
There are a ton of legitimate sites out there using steam API, so naturally the attempts to feel like a legitimate site are getting easier and easier. I thought steam would have been on top of this myself. But, that's how I was almost got too.
Basically, these scams have been around since the first nude was sent over the pipe.
They have been using bolder and different approaches though. You kind of have to not have a life to keep up with it, so don't feel too bad people who have more time on their hands are a little bit more aware of the meta in scamming. Times change. People don't. There is just more scammers out there now and you gotta deal with it.
There are a ton of legitimate sites out there using steam API, so naturally the attempts to feel like a legitimate site are getting easier and easier. I thought steam would have been on top of this myself. But, that's how I was almost got too.
JWBserious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.
I think what 24 (#7) would be the most likely reason of how the account got compromised either that or they somehow got access to the current-login cookie for the steam web browser. Basically a cookie (can be) a really long "password" which you send to the server and the server looks it up, finds you and sends you a response of some sorts. That's how all "keep me logged in" things work in web browsers. (Tom Scott recently made a really good video partly talking about this).
While incognito mode doesn't, usually, start with any cookies stored and also doesn't /shouldn't keep any cookies saved and also cross-site-access to cookies and the likes should absolutely not be possible web browsers aren't perfect and JavaScript is scary. There have been numerous exploits over the years that could intern accomplish the above mentioned
That being said I can't really imagine a "random" tf2 item scammer to have the skill required for this but what do I know.
I feel like with an exploit potentially this powerful you could do a whole lot more than to just scam some unusuals...
Also sorry for some possible inaccuracies I am also not an expert on this just wanted to give some context on how this stuff works.
EDIT: By trying to keep things short and simple I braced over a lot of details especially on what cookies can do. I only talked about them in this specific use-case, as in them being used as an authentication token, since this is what would have mattered the most.
I also talked about some really weird exploit stuff since the person who has made this thread said that they didn't log into anything. So the only possible attack I could think about was some sort of cookie-theft unless Valve messed something up majorly.
Also while yes JavaScript isn't a bad language or necessarily evil since it allows most if not all websites to function how we expect them to, from a security stand-point it's still kinda "eh" and I still believe the web would be better of without it. But that's besides the point.
tldr; javascript bad
[quote=JWB]serious question to any techies how the fuck does someone get into ur account despite 2FA, just from u going to a website? thats like scary af. i get "dont click sketchy links" but this is hella spooky.[/quote]
I think what 24 (#7) would be the most likely reason of how the account got compromised either that or they somehow got access to the current-login cookie for the steam web browser. Basically a cookie (can be) a really long "password" which you send to the server and the server looks it up, finds you and sends you a response of some sorts. That's how all "keep me logged in" things work in web browsers. (Tom Scott recently made a really good [url=https://www.youtube.com/watch?v=OFRjZtYs3wY]video[/url] partly talking about this).
While incognito mode doesn't, usually, start with any cookies stored and also doesn't /shouldn't keep any cookies saved and also cross-site-access to cookies and the likes should absolutely not be possible web browsers aren't perfect and JavaScript is scary. There have been numerous exploits over the years that could intern accomplish the above mentioned
That being said I can't really imagine a "random" tf2 item scammer to have the skill required for this but what do I know.
I feel like with an exploit potentially this powerful you could do a whole lot more than to just scam some unusuals...
Also sorry for some possible inaccuracies I am also not an expert on this just wanted to give some context on how this stuff works.
EDIT: By trying to keep things short and simple I braced over a lot of details especially on what cookies can do. I only talked about them in this specific use-case, as in them being used as an authentication token, since this is what would have mattered the most.
I also talked about some really weird exploit stuff since the person who has made this thread said that they didn't log into anything. So the only possible attack I could think about was some sort of cookie-theft unless Valve messed something up majorly.
Also while yes JavaScript isn't a bad language or necessarily evil since it allows most if not all websites to function how we expect them to, from a security stand-point it's still kinda "eh" and I still believe the web would be better of without it. But that's besides the point.
tldr; javascript bad
BvBasically a cookie is a really long "password" which you send to the server and the server looks it up, finds you and sends you a response of some sorts. That's how all "keep me logged in" things work in web browsers.
This is only true to an extent. A cookie can have any arbitrary key/value. A cookie is just a place for the browser to store a value associated with a key that is given from a server. You can read and set cookies through JavaScript, which means that yes you can make it do the "keep me logged in", but this involves implimenting a refresh token system, which is a whole other system. A cookie can be useful for storing your credentials when you login (look into "JWT") which encrypts data to a 1-way operation so that you can always validate if a request came from the client and was not tampered with. But like I said, you can put literally anything you want in a cookie, but its ususally used to store your login "session id" or your "token" so then the server can authenticate you upon a request.
To address the rest of the thread / any other information:
Javascript isn't bad, just bad usage of such language.
The only way around this is to never login or touch a page ever. You HAVE to login in order for this type of attack to happen. Another thing, usually OAuth2 will tell you exactly what type of permissions the developer has when accessing your account. Discord does this very well, telling you "This will allow the access of your identification, guilds and email" for example.
Here's an example of OAuth2 "Login through Discord" with Mee6:
https://cdn.discordapp.com/attachments/629450079887163442/782788580900470784/unknown.png
Here's an example of OAuth2 "Login through Steam" with demos.tf (api.demos.tf in this case):
https://cdn.discordapp.com/attachments/629450079887163442/782788815566929950/unknown.png
Cookies aren't the only way a web browser has access to certain key/value pairs. There's also local storage, session storage, and of course a database. Peeking at cookies will not tell you certainly what or where your data went / has gone, but the only trust you have is in the domain you're accessing and the people behind it. Do not assume that just because there's a cookie that you're being hacked either. Cookies, local storage, and session storage all have their pros and cons to web development, and it's entirely up to the developer on how to use these APIs responsibly.
JavaScript, Steam, and any OAuth2 service that is out there are very secure. Logging in does not grant a user the ability to magically change your inventory or change your password without your consent. In addition to that, 2FA would stop anything, and bypassing this is not something that I've never heard happen (especially with a company such as Steam). There's plenty of exploits that I don't know about, however if you're sure that you never provided details (i.e. logging in through what looks like steam but is actually a spoofed website) through any medium and you're sure its fault of Steam, you should probably create a ticket on support, and while you're at it report the user and website you were given.
In addition to any of this, it's very easy to spoof a login website. If you're running chrome and save your steam username/password so you can just click on your account and login and you don't see that when you're trying to access a login page then you're most likely on a spoof site. Look below on details on how to exactly spot one if you're not sure. Again, if you do not trust the website or it's not properly established, then do not risk anything.
TL;DR:
If you log in and you do not see a green padlock (or just a padlock) left of the URL on the top of your screen when on the Steam page to signin, you are getting spoofed. Proof read your URLs before logging in.
Here's a picture of what that would look like:
https://cdn.discordapp.com/attachments/629450079887163442/782788090480951296/unknown.png
That padlock ensures that all your traffic is encrypted (at least between the browser and the server). However, just because this is secure does not mean it's the real Steam server...
Beyond the padlock:
https://cdn.discordapp.com/attachments/629450079887163442/782789923820142593/unknown.png
Clicking that "green" (or white) padlock will bring up connection details on Chrome. You can check who certified that certificate, and for steam, this will always be on behalf of the company (Valve Corp [US]). Company certs are always going to be from the company, as they're expensive and only given to real legal entities.
Hope this answers some questions about how logging in may give details about your profile, as told by a web developer. I do not know everything certainly, but I think I have worked long enough to at least tell people what to look for if you're skeptical.
Just please, don't click links that you've never heard of or "test" the website. You will always certainly not be the first person to fall victim.
[quote=Bv]Basically a cookie is a really long "password" which you send to the server and the server looks it up, finds you and sends you a response of some sorts. That's how all "keep me logged in" things work in web browsers.[/quote]
This is only true to an extent. A cookie can have any arbitrary key/value. A cookie is just a place for the browser to store a value associated with a key that is given from a server. You can read and set cookies through JavaScript, which means that yes you can make it do the "keep me logged in", but this involves implimenting a refresh token system, which is a whole other system. A cookie can be useful for storing your credentials when you login (look into "JWT") which encrypts data to a 1-way operation so that you can always validate if a request came from the client and was not tampered with. But like I said, you can put literally anything you want in a cookie, but its ususally used to store your login "session id" or your "token" so then the server can authenticate you upon a request.
To address the rest of the thread / any other information:
Javascript isn't bad, just bad usage of such language.
The only way around this is to never login or touch a page ever. You HAVE to login in order for this type of attack to happen. Another thing, usually OAuth2 will tell you exactly what type of permissions the developer has when accessing your account. Discord does this very well, telling you "This will allow the access of your identification, guilds and email" for example.
Here's an example of OAuth2 "Login through Discord" with Mee6:
[img]https://cdn.discordapp.com/attachments/629450079887163442/782788580900470784/unknown.png[/img]
Here's an example of OAuth2 "Login through Steam" with demos.tf (api.demos.tf in this case):
[img]https://cdn.discordapp.com/attachments/629450079887163442/782788815566929950/unknown.png[/img]
Cookies aren't the only way a web browser has access to certain key/value pairs. There's also local storage, session storage, and of course a database. Peeking at cookies will not tell you certainly what or where your data went / has gone, but the only trust you have is in the domain you're accessing and the people behind it. Do not assume that just because there's a cookie that you're being hacked either. Cookies, local storage, and session storage all have their pros and cons to web development, and it's entirely up to the developer on how to use these APIs responsibly.
JavaScript, Steam, and any OAuth2 service that is out there are very secure. Logging in does not grant a user the ability to magically change your inventory or change your password without your consent. In addition to that, 2FA would stop anything, and bypassing this is not something that I've never heard happen (especially with a company such as Steam). There's plenty of exploits that I don't know about, however if you're sure that you never provided details (i.e. logging in through what looks like steam but is actually a spoofed website) through any medium and you're sure its fault of Steam, you should probably create a ticket on support, and while you're at it report the user and website you were given.
In addition to any of this, it's very easy to spoof a login website. If you're running chrome and save your steam username/password so you can just click on your account and login and you don't see that when you're trying to access a login page then you're most likely on a spoof site. Look below on details on how to exactly spot one if you're not sure. Again, if you do not trust the website or it's not properly established, then do not risk anything.
TL;DR:
If you log in and you do not see a green padlock (or just a padlock) left of the URL on the top of your screen when on the Steam page to signin, you are getting spoofed. Proof read your URLs before logging in.
Here's a picture of what that would look like:
[img]https://cdn.discordapp.com/attachments/629450079887163442/782788090480951296/unknown.png[/img]
That padlock ensures that all your traffic is encrypted (at least between the browser and the server). However, just because this is secure does not mean it's the real Steam server...
Beyond the padlock:
[img]https://cdn.discordapp.com/attachments/629450079887163442/782789923820142593/unknown.png[/img]
Clicking that "green" (or white) padlock will bring up connection details on Chrome. You can check who certified that certificate, and for steam, this will always be on behalf of the company (Valve Corp [US]). Company certs are always going to be from the company, as they're expensive and only given to real legal entities.
Hope this answers some questions about how logging in may give details about your profile, as told by a web developer. I do not know everything certainly, but I think I have worked long enough to at least tell people what to look for if you're skeptical.
Just please, don't click links that you've never heard of or "test" the website. You will always certainly not be the first person to fall victim.