Would not "Bugs/Suggestions" be a better category?
Comment has been collapsed.
If SG could check the original activation date of the game it would mainly solve the problem, no?
Comment has been collapsed.
I think that then there's a problem with demos and/or free weekends. These would show up as "original activation date", making it difficult to enter GAs if you played a demo/free weekend of the game.
Comment has been collapsed.
I dont think you can check such thing unless you are 1) having the ownership of the said key (eg:devs) or 2) have access to support who can check it for you, and i doubt sg has such privileges. Feel free to prove me wrong, though. It would be awesome if they indeed have the means to do so.
Comment has been collapsed.
Yikes didn't originally think of the biggest implications of this, but I can't imagine what cg could do. Maybe in order to register you have to show your library with no hidden games, and sync it with proof every x amount of time. I can imagine people will not give AAA's anymore as much.
Comment has been collapsed.
Can SG check if there are hidden games? I would think that Steam's API will not provide this information.
Comment has been collapsed.
I don't know much about the whole process, but if the data is taken from the games page as a reference, it wont show there, however, since users login through steam on SG, I'm assuming you should be able to see their activations and dates there properly as I'm guessing the owner of the account should be able to see those games there too, however unsure if this data is available to sg via api, my guess is that it isn't as then you can just make public the hidden games of anyone who logs in into your site and I doubt steam wants that.
So basically what calibr3 suggested is my only guess too but I don't think that data is available.
I mean worst case scenario if this data isn't available, they could make a google app/esgst script or something and then the user would have to sync through basically for themselves, kinda like now but with an extra step. Something of the sorts of user goes to the steam activations page, scrolls all the way down to load everything(or I mean the app can scroll until end of page probably) and then the app just reads all the data on the page and sorts it by lines. You'd have to cut all the unnecessary information out, figure out all the placeholders, start and end points, but I'm guessing once you know where to start in the script it works pretty flawlessly. Like you can do a search for phrase for lets say "license_date_col" you skip 2 chars, read and translate the date, skip another 4 chars and the empty line, read the game name, record that, then look again for the next "license_date_col" and repeat the steps until there's none left.
<td class="license_date_col">Dec 13, 2023</td>
<td>Dry Drowning </td>
This is what it looks like in the google javascript inspect of the page, plus each activation has a bunch of other syntax but that can be ignored basically by just going to the next license date col.
I'd imagine doing it like this through an app though would make syncing the libraries take much longer than it does right now though.
Edit; Thinking about this a bit more, not sure how reliable the data would be. The bot would probably have to refresh the page at the start, as some could just delete certain elements in the inspector and then start it, and then said games wouldn't show up. But even then, there are probably ways to make it so whenever you load the page, those specific elements get deleted(kinda like how adblockers delete ads), so when the bot looks for them, it still wont find them. Someone more experienced would know of better solutions probably.
Comment has been collapsed.
I don't think this is too concerning tbh. You are already able to do something similar by deleting a game from your account (which could then be easily recovered), although this does simplify the process. Winners should be careful to not private their wins so as not to show up as an unactivated game.
Comment has been collapsed.
What AmanoTC is saying is that a user could go buy baldur's gate on steam right now, then hide it away, and then enter giveaways here for it. If they win a key, then they can sell the key, but they already owned the game all along. It's not about multiple wins, but winning something you already had.
Comment has been collapsed.
Read what they wrote before commenting. You can already do this.
Comment has been collapsed.
The point was that as he says too, it provides a much faster, simpler way of doing the delete thing. Winners not making private their wins is irrelevant, because if someone already had the game hidden, they can still enter and sell the key, and there's no way to know if they have it or not private. Nor does this have anything to do with an unactivated game, because if they went through the steps op listed, and that you can do by deleting a game as well, then the game would show as activated. What he's basically saying is "be nice' but someone who's gonna abuse the exploit wont give a damn about "be nice".
Comment has been collapsed.
Yes it streamlines it, from a 1 minute process to a 20 second one. But, you've already been able to do this for a long time and CG did not change anything.
Comment has been collapsed.
Maybe, but before, you also couldn't play said games while they were removed. If I'm correct with the new feature, you can still play these games, although they are hidden and the api doesn't detect them. So it's made the process a lot worse, as in before it was more of a hassle. Now, it is much less of a hassle, not just 1 min to 20 seconds imo.
Comment has been collapsed.
There's already 100's of exploits on Steamgifts with auto-joiners, multi-accounts and group giveaways - people making giveaways only for groups with 5-6 entries and rotating wins and purchases... looks at op's profile oh nvm xD Regardless CG doesn't care unless it's earth shatteringly broken and reduces traffic on the site
Comment has been collapsed.
Maybe I'm missing something but even right now a user can simply remove the game, sync with SG and then restore the game right after. Allowing them to enter giveaways, while still having/playing the game. Rinse and repeat every week til they win the game they want or get bored of doing that. I agree that this change will make that process much easier, but if someone really wants to exploit the system, they already can.
Comment has been collapsed.
The thing with processes is the easier they are to partake in, the more chances more people will take advantage of it.
I've never removed a game from my acc but someone pointed out that you gotta make a ticket and a ticket to restore it. Is it automatic?
Comment has been collapsed.
They haven't done tickets for years and years (and it's worth noting that ticket deletions WERE permanent, and were such even when support deleted the wrong title from your library, as they once did to me). At present it's basically just a stronger version of Steam's "Hide Game" function, now, with the same level of (im)permanancy.
It takes a wee bit more time than deleting active giveaways on SG does (as adam notes below, I'd estimate Steam game removal/un-removal at about 20 seconds tops, compared to SG's fairly instantanous deletions), but it's about as straightforward and self-managed, and with even less effect on the individual doing such.
Comment has been collapsed.
The "1 minute process" is already only about 20 seconds, it's super streamlined in the client.
Even if the new method just 5 seconds, it's a negligible difference for the same result.
Comment has been collapsed.
I've never removed a game from my acc but someone pointed out that you gotta make a ticket and a ticket to restore it. Is it automatic?
Comment has been collapsed.
No tickets involved to remove or restore games on steam anymore. It is all self-service via the support pages and happens instantly.
Comment has been collapsed.
Deleting a game from your account requires a Steam Support ticket. So I'm curious what is required for recovering that game - Another support ticket? Is key reactivation possible using the same key after game deletion?
Comment has been collapsed.
It does not require a ticket, it's instantly done and if you want it back you do the exact same thing and it's back right away, only thing is that there is no list of removed games so you need to remember the games you removed since else you may never find it back!
Comment has been collapsed.
I've deleted trash from my Steam account without a support ticket.
Comment has been collapsed.
And I've removed games temporarily to get past poorly designed Gleam requirements so I could "Wishlist" and "Follow" owned games only to reverse the process right after.
Comment has been collapsed.
They haven't used Support tickets for deletions in years, and deletions through that system were indeed permanent.
At present it's simply a different variation of Steam's "Hide Game" function, with about the same level of impact on your account in every respect (other than that removing games allows you to activate games that are bugged and won't activate if another version of the game is already owned.. and, of course, that it can be used to exploit certain websites).
Comment has been collapsed.
You can remove or restore any subscription in 5-10 seconds.
Comment has been collapsed.
I have never deleted and restored a game, but it probably means you can't play that game if it is deleted.
Comment has been collapsed.
Is this still not working..? or maybe later you will be required to open a privacy account if you want to enter SG
Comment has been collapsed.
Well it doesn't show when synced if it's hidden. The whole point of the new feature is to hide away games in your library so no one can see them so they don't show in the games section on your account. If someone could just publicly unhide your library, then it defeats that purpose and steam wouldn't be too happy about their new feature. Thankfully it's still in the beta.
Comment has been collapsed.
Oh I just understood how that works, thank you for answering have a nice days
Comment has been collapsed.
It's still early so forgive me if I'm missing something obvious. But I don't see how this is a problem.
- You cannot enter a giveaway for a game you have already won before, even if you haven't synced your profile yet. You will get the error: "previously won giveaway".
- You are required to activate all your wins. If you don't, you get suspended. A similar situation can already be seen when people remove games from their library.
Comment has been collapsed.
It's not about winning twice, but about winning something you already have from some other source. I could go buy baldur's gate 3, hide it on my account, then enter giveaways for it. SG would have no way to prove I already have it, and when I synced it wont show, because it's a hidden game. Then all I have to do is display it again in my library after I win, and the key I got from SG I can sell. This will be a bots paradise, because many of them already have certain games, however, they could hide their entire libraries, and the available games they can enter just went up. Then, they can sell those keys, and no one can ban them for it because there's no way to tell.
Comment has been collapsed.
- I think that only works if someone won the game on sg. Not if they had it already on their account. The fear is someone can enter a GA despite already owning the game by hiding it and then sell/trade the key and then unhiding their original copy to make it seem like they activated his win.
- Again the same thing. This change might allow users to enter GAa for games they had already bought by simply hiding it.
Comment has been collapsed.
So machines are winning. Let's see what Cg will say.
Edit: why this option is added to steam, I don't get why you will want to use this?
Comment has been collapsed.
It's the best option for those who are ashamed of playing hentai games, but want to look like the are honest to god people. You wont get them to admit it tho. How can we prove it though? Simple, because there was already the option to remove the game if they really didn't like it, there is also an option to hide the game in their library so it doesn't show up when searching for it, and lastly they could private their games. So what this new update does, is basically lets you hide away from others, while still playing your favorite furry games.
Basically for those who aren't confident in their own skin and that are people pleasers.
Comment has been collapsed.
I get the fear and frustration people have over this update and could potentially spark issues, but these will probably be more isolated cases, I hope. Hidden or deleted games should still somewhat show in a database, or maybe, and don't quote me on this, SG will automatically detect it as won and even if it's hidden, they can't enter giveaways already owned. I don't know how this all work and it might be as easy as I just said if, but like other websites, sometimes it tracks delisted games in library and some others don't, including Steam.
Comment has been collapsed.
I mean multiple wins shouldn't be the issue because that's always going to be reason for a suspension. This is more for those who already own the game, hide it away and enter for it. As for sg detecting it right now, I highly doubt it and the feature is only in beta. Even then, the only proper solution is if steam provides api access to activations which don't think steam gives access to atm as it defeats the entire purpose of being able to hide a game in your profile.
Comment has been collapsed.
Not sure what are the terms between Steamgifts/Steamtrades and Steam to be honest. Idk what we're doing is considered 100% legal or not.
I don't think the provide any access to their API beyond what we currently have. I am hoping that hiding, doesn't mean it's hidden at the line of code and just hidden from the view of what we see, if that makes sense.
I am not qualified to speak for this, but I'd hope what people fear never happens and people are honest with what they get and do.
Comment has been collapsed.
I see no problem for SG at all, just a choice for each of us: either we want to use the new Steam feature and quit SG or ignore it and keep being part of SG. Something being there does not mean, that we have to use it (fortunately in this case).
Comment has been collapsed.
There's no way for SG to know if you use it or not. They'll have to write some extension for chrome that checks your activation page and as I note above even that can be spoofed I think, so not sure what the solution is.
Comment has been collapsed.
As others said this is essentially (years) old news, but also
repeat the same for another AAA game.
Result: Kashing!
you make it sound as if winning AAA games is so easy and a daily occurrence, well.. it ain't.
Comment has been collapsed.
Fair point, but if I'm running 1000 bots, I can just hide all their existing games, and now their available entries for ga just went up exponentially. Then I sell any key I win that I already had, and you can't ban because you can't tell whether I had it or not before.
Comment has been collapsed.
"All their existing games", not all their existing Baldur's Gate 3s
Comment has been collapsed.
Haha no, but the point was this can be done with less relevant games too. What if you had 1000 bots that had every game from the wb bundle. or worse any cheap game that has trading cards? It's still free real estate that some other user is trying to win. Highly doubt anyone would ever do it on a 1000 scale but I do like to exaggerate things for example purposes.
Comment has been collapsed.
It was possible before with a bit more invested time as it will be available now.
And yes, it got used from a lot that claimed the key are dupe.
To sell/trade the first key and get eventually a second key on top.
The only difference is that you can't detect it anymore because you don't see achievements of this game(s).
And of course, it is easier to use for many games. As example hiding 100 games that way would be easy and not prevent from playing them at the same time.
So the expected win/earning from doing it will be much higher as before.
SG is a cheater heaven and will now, most likely, transform to a cheater heaven++.
To be fair, in this case i don't see what cg could do against it. But i am no programmer, so maybe i am wrong.
Comment has been collapsed.
My first thought was "Oh crap, he's right, that's bad", but the more I think about it, the more this seems like an unlikely edge case because
It only affects users that already own the relevant game from a source other them SteamGift and it can only happen once per game per user.
So, in essence I feel like this boils down to: This potentially allows nefarious users to win the chance to refund an owned game instead of winning a free game. And while this feels like an abuse of the spirit of the site it does not feel like dangerous abuse.
Comment has been collapsed.
The danger is if someone hosts a giveaway of a larger AAA game, say, Baldur's Gate 3. Someone could essentially already own the game on steam, private it and enter the giveaway and potentially win the game and then unprivate the game and use the key of the won copy to resell.
Comment has been collapsed.
Eh, yeah, I know? That's what the main post already said.
I'm just adding that I don't see the big danger there. In your example of a BG3 GA the only potential bad actors are people that are eligible to enter the ga and already own this game. In the unlikely event that they win the GA and they go through with it in essence you reached the same result as if they somehow managed to sell their owned game and then win it.
This is not relevant to random bots etc, only to people that have already spent money to have the game so Yes, it's against the spirit of the site, but in the end, from a strictly monetary point of view this feels like a non issue, because in the end the result is the same, the gifter gave away the game as intended and the winner has the game without having to have spent money as intended, the only difference is that the winner already was able to play the game before winning it.
Comment has been collapsed.
I generally agree with everything you said. I don't think it's a loophole that's ripe for systematic abuse because of the monetary cost of setting it up and the one-off nature of it. Most cases of abuse are likely to be crimes of opportunity - someone sees a giveaway for a AAA that they already bought, so they hide it for a chance at what's essentially a refund. The danger of the new Steam feature is that it makes this form of trickery easier and more tempting to the average user, so we might see more cases of sporadic abuse here and there but I don't think SG is going to collapse under the weight of mass cheating.
Where the real monetary gains and cheating opportunities lie is in expensive, delisted games where original cost << current value. Take for example Alpha Protocol: It was in 2 cheap bundles several years ago and is now delisted and fetches close to $100 in key shops. Many users already own the game thanks to the aforementioned cheap bundles so now they have the opportunity to snag a very valuable key by hiding their ownership of it. But this is nothing new - the hardcore cheaters who want to abuse SG for profit are likely already targeting such keys so I don't think the planned changes bring anything new to the table as far as they're concerned.
Comment has been collapsed.
I have two more thoughts on the subject:
-
I disagree with the characterization that it's simply "against the spirit of the site". It's outright cheating. The person who hides games in their account is getting opportunities that they shouldn't be entitled to and are boosting their odds of winning. From an ethical standpoint, it's not much different than having multiple accounts.
-
I was only focused on cheaters abusing AAA or delisted games at first, so I agreed with you that it was an unlikely edge case. Now that I think about it, I see the potential for mass abuse of average bundled games. Imagine a user with thousands of games that they bought thru bundles. Now they can make a few hundred of the most valuable ones private to try and win them. The gain per key would be small but done over enough games and over a long period, it can be significant. And sometimes an individual key can be worth a lot more than what it cost in a bundle. e.g. A Hell Let Loose key goes for $20 these days but cost a fraction of a dollar from HB Choice.
Comment has been collapsed.
wasn't this kind of already possible before though? say someone wanted to win a game they already own.. they can remove that game from their account, then bring it back if they win after receiving the key.
i don't know how this all works in the backend so i could be wrong.
Comment has been collapsed.
It was, but how fast was it, and how easy was it to restore the game, and could you play the game meanwhile. Someone said it takes a minute, but then someone said you gotta make a ticket to remove and delete a game, do those have to be answered by support?
Comment has been collapsed.
Someone said it takes a minute, but then someone said you gotta make a ticket to remove and delete a game, do those have to be answered by support?
nope, it's automatic and instant, at least the single time i did it. i removed an achievement-spam game, then restored it later so i could delete the achievements. it's very easy.
perhaps if someone makes a habit of it, it'll raise a flag and might cause some human intervention? also worth noting you can't play the game if it's removed from your account.
Comment has been collapsed.
You most definitely don't need a ticket, and it takes 20 seconds max. Same amount of time to return it. You just need to use the support tab in the client, but it's entirely automated.
Comment has been collapsed.
I have one suggestion to gifters, at least this is how I did it for my own giveaways. Any game won, I made it a point to contact the winner myself, send the key when they are able to activate it, and made sure that the game shows up in their library. After that, I also redeem the key for myself as well, just as an added security measure. If I activate the key for myself, then great, the scammer is out of a free game. If not, also great because it means that the person activated my game.
Now, people could still do this exploit to get the game for a second time and activate their win on an alt acc. Why they would want two accounts with the same game, I don't understand that, but it is a possibility. Still, the way I do this does at least stop people who only have one account from abusing this and getting the game to sell or do whatever else they want with it.
Comment has been collapsed.
Your way works, true. But only if you don't already own the game you're giving away. If you can't make sure to invalidate the key after you give it to the winner, winner could potentially still sell the won key.
I mean, of course, you also could have multiple accounts and activate the key there. This would leave you with the same game on several Steam accounts, tho. But I guess you exposed a scammer, so... Still worth it?
Edit:
Why they would want two accounts with the same game, I don't understand that,
If you're here long enough, you'll see that the energy some people find only to idle cards to sell those for pennies is infinite
Comment has been collapsed.
People farmed free GTA5 copies when Epic handed it out, and sold the accounts. Steam is not an exception for similar behaviour, and one can keep multiple "alts" to build different game portfolios. Still a small chance for that, but definitely a possibility
Comment has been collapsed.
Good suggestions but I doubt most gifters would want to go through so much trouble each time they send a key.
Another thing to watch out for is the Games counter on Steam. Unlike the current method of removing/un-removing games through support, the new method of making game Private doesn't affect that counter. So, if someone claims to have activated a key but their counter doesn't tick up, it's a red flag.
Comment has been collapsed.
A possible solution would be for SG to develop a browser extension which pulls the data for syncing directly from:
https://store.steampowered.com/dynamicstore/userdata/
This page is only visible to the logged user himself, and would include any hidden or private games, including games removed from store (like banned or delisted).
Everyone will have to install this extension to use the site. Yes I don't like that and I imagine many would not either.
Comment has been collapsed.
Yeah I was wondering the same thing. Some sites ask you for your steam API key to get details you can normally only see, I wonder if that would still show hidden games? Then anyone using the site could be asked to enter their API key and that is used to grab all games.
Comment has been collapsed.
yeah the API key/token is as good as an authenticated/logged user, so it can basically pull data from your account as if it was you.
Comment has been collapsed.
Would be interesting to see if hiding the game does anything to the API data
Comment has been collapsed.
haven't tried it but I imagine it wouldn't, this page is by design only visible to the owner of the account, which means showing your games without any filtering, same goes for the gated API
Comment has been collapsed.
https://developer.valvesoftware.com/wiki/Steam_Web_API#GetOwnedGames_.28v0001.29
I'm not sure if this provides the same data as the userdata, but looks like you can even check private profiles if you know the userid and their api key. We have to wait and see if private games show up here, but this could be a relatively simple solution.
I have provided my API key on other sites before, never got hacked or smth. Also it would allow us to set our steam profiles private.
Comment has been collapsed.
Well I did it before many times. There were some stat sites. I think asf uses it too. I think it was meant for 3rd party apps and public data scraping, it wouldn't be able to get private data at all, if it wasn't meant to get it. It would still be private, just through this sg 'app'.
Comment has been collapsed.
I just don't understand what it is meant to do, if you can't share it? If it was only meant for app owners to get public data, then why you can do some trade operations with it and get private user data? Should everyone make their own app? Or it's meant for local executables only? But unless it's an open source app, how can you trust it more than for example SG?
https://steamcommunity.com/dev/apiterms
It says it's personal to your application, but what does it mean? What kind of application? Only local? Or made by you?
Comment has been collapsed.
Or it's meant for local executables only?
This, basically. You can't share it, but it can be used by local software. The API key is not meant to allow others to access you private data (if a website asks for your API key, run away from it, fast), it's only meant to allow software to use your private data (and not share this data).
But unless it's an open source app, how can you trust it more than for example SG?
That's why you have a firewall installed and properly configured.
Comment has been collapsed.
SteamGifts already uses this API when you sync your account:
- https://steamapi.xpaw.me/#IPlayerService/GetOwnedGames
- https://partner.steamgames.com/doc/webapi/IPlayerService#GetOwnedGames
The difference is that they use their own api key (i.e cg's), which means it can only fetch owned games from public profiles.
For it to be able to sync private profiles or even these new games marked "private", the api key must belong to the steam account you are syncing, i.e each user would have to supply their own to SG:
https://steamcommunity.com/dev
Like I said elsewhere, API keys are as good as your password, and can be used in other dangerous api calls, not to mention sharing them is against the ToS.
As for the data returned, the "GetOwnedGames" is different from the "userdata" page I mentioned, they return different data and formats. I included a sample of the data returned below for comparison.
PS: I have not yet tested the beta steam client to see how the new "private game" feature affect the results.
userdata
https://store.steampowered.com/dynamicstore/userdata/
I should highlight again that this URL is only accessible when you are logged-in as a user in the browser, you cannot "call" this as an API from a server. You cannot get someone else's account data, only your own. This is why I mentioned the proposed solution being a browser extension which in theory would run client side and send this data to the remote SG servers.
{
"rgWishlist": [555,666],
"rgOwnedPackages": [789,987],
"rgOwnedApps": [123,456],
"rgFollowedApps": [],
"rgMasterSubApps": [],
"rgPackagesInCart": [],
"rgAppsInCart": [],
"rgRecommendedTags": [{},{}],
"rgIgnoredApps": [],
"rgIgnoredPackages": [],
"rgCurators": {},
"rgCuratorsIgnored": [],
"rgCurations": {},
"bShowFilteredUserReviewScores": false,
"rgCreatorsFollowed": [],
"rgCreatorsIgnored": [],
"rgExcludedTags": [],
"rgExcludedContentDescriptorIDs": [],
"rgAutoGrantApps": [],
"rgRecommendedApps": [],
"rgPreferredPlatforms": ["win", "mac", "linux"],
"rgPrimaryLanguage": 0,
"rgSecondaryLanguages": [],
"bAllowAppImpressions": 0,
"nCartLineItemCount": 0,
"nRemainingCartDiscount": 0,
"nTotalCartDiscount": 0
}GetOwnedGames
curl -L -o data.json -X GET -H "Accept: */*" -H "Accept-Language: en-us" -H "Accept-Encoding: *" "https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=<SECRET_API_KEY>&steamid=76561198047167723&include_appinfo=true&include_played_free_games=true&include_free_sub=true&skip_unvetted_apps="
(note that if you fetch your own account data using your own apikey, you also get a few extra fields per game, namely: playtime_windows_forever, playtime_mac_forever, playtime_linux_forever, rtime_last_played, playtime_disconnected)
{
"response": {
"game_count": 999,
"games": [
{...},
{
"appid": 2713070,
"name": "Few Nights More: Genesis",
"playtime_2weeks": 31,
"playtime_forever": 31,
"img_icon_url": "445987641dc5354afe80297098344c4ce4b5bf37",
"has_community_visible_stats": true
}
]
}
}Comment has been collapsed.
Seems both lists don't include games which have been removed through Steam support. A browser extension could retrieve the corresponding Steam support page in order to check whether a particular game has been removed. But as Carenard pointed out, free weekend licenses technically count as removed games. So this needs to be taken into account.
Comment has been collapsed.
Is it really as good as your password? Can you delete or purchase games with it? Can it change your password or email?
This API is really weird, if it was meant for querying public data from the site, why does it have trading capabilities and access to private data? It's just weird, why can it do all that if you are not meant to use it? Like I said I used it on some sites, nothing ever happened. I don't think they really care about what people do with the API, they ban a few people once in a while who do some scummy things with it. Will they ban everyone on this site just for importing their game list?
Saw some reddit posts about people getting banned, but I only saw traders and the reason was using their account for commercial purposes https://www.reddit.com/r/csgomarketforum/comments/inud19/q_can_you_still_get_banned_for_sharing_your_api/
Lot of people use ASF with their API key(me too), never heard people getting banned without doing something weird with the key.
Are you sure getting the userdata with some 3rd party tool isn't prohibited too? It's a good idea, but it might be a bit more complex to implement. For example I don't think it would be impossible to pass fake data to the extension/site. With an API you can't fake the data.
My main point is just that this API is weird...
Comment has been collapsed.
Obviously not equivalent to a password, my point is it can do dangerous things, like someone can empty your inventory with it if your api key was leaked.
ASF
ASF runs locally on your machine, api keys it generates are used on your behalf completely on your computer, they are kept encrypted and never transmitted to someone else, which doesn't violate the ToS. ASF is an open source project with many eyes on it, so we'd quickly know if at some points it starts doing shady stuff
Plus I remember reading in a recent ASF changelog that they changed the internals so that now it doesn't use api keys anymore, opting for web tokens instead. Apparently Steam made some changes recently so that generating api keys require 2FA confirmation (a good thing for security)
fake data
it all depends "where" the code logic is running; I've mentioned this before, anything that runs on client side (like a web extension) can be manipulated. Unless SG pulls the data directly from steam servers by making an API call (which in the case of "userdata" page it can't), there's always the possibility of it being manipulated to some degree.
but yes, steam apis are notoriously poorly documented, with projects like steamkit very hard to grok ;)
Comment has been collapsed.
that would also show DLC owned to right? might be good for SG to implement that anyways.
Comment has been collapsed.
Yeah it does seem to, so I guess that would be that's a advantage
Comment has been collapsed.
yes, "userdata" shows all apps and subs (DLCs, packages, delisted, everything), so no more "check your library before entering this ga" headache
Comment has been collapsed.
wait, with an API key you wouldn't need and extension, right?
Comment has been collapsed.
Looks like we could provide the steam web api key and user id and sg could check our owned games with it https://developer.valvesoftware.com/wiki/Steam_Web_API#GetOwnedGames_.28v0001.29
Comment has been collapsed.
It surely sounds like a good idea at first; as long as you can prevent the API keys leaking from your database.
The problem is, that you can't be 100 % secure of data breaches.
Comment has been collapsed.
I suggested something similar above using an extension, but I don't know how they'd make it work, I could create a filter to remove certain lines from that or the whole thing when the page is loaded, and the extension would have no way of knowing assuming it doesn't go ahead of the page being loaded somehow.
Comment has been collapsed.
The "userdata" endpoint returns a JSON response which the extension can directly use, no parsing any HTML needed.
In fact the result has plenty of useful stuff like the wishlist, ignore list (which can be synced to SG as well), DLCs and delisted games (which the current solution doesn't properly sync) and even exact package IDs that don't even have a store page. This is useful for all those reroll cases where the winner finds out too late they already own the game/dlc.
One thing to note, for a determined "adversary" anything that runs on client side can be manipulated, including any such extensions ¯\_(ツ)_/¯
Comment has been collapsed.
Probably the only solution here, to get the userdata. It would solve a lot of issues. I wouldn't mind installing an extension for synchronising my data. But the extension should only be required for synchronization, I use the site from mobile a lot.
Comment has been collapsed.
Well, it was possible for years with removing game and then restoring it. Now it just got a little easier, and that's all. There is not much can be done about it, and you are only making it worse by posting exploit scenario publicly.
Comment has been collapsed.
I agree.
Furthermore, you all just address the abusive potential, as everyone here has bad intentions.
That's obviously not the case…
The most used case would be the privacy aspect. Not everyone likes the idea, that a visitor of your profile judges you because of a few LEWD games, right?
Why don't we just require a proof, that I own a won, but yet hidden game?
This might also apply to games, which have been removed from steam.
F. E.
User
1) Has previously won /owned a rated /LEWD/... game
2) game is suddenly hidden from SG
3) User will be asked for details
Comment has been collapsed.
I dont know if anyone could bypass this barrier from steam side. BUT we can at least do one thing on SG side- check sg data against itself at least, meaning if someone won (all the way to received) a game it counting as owned, not even allowing to enter future GAs even if not owned later (hidden or removed from steam).
It wont prevent abuse but will at least dimish it a bit, preventing from doing that with the same game multiple times.
Comment has been collapsed.
This exploit would be addressed by using the direct gifting function as it pertains to new games.
Probably not an easily solved issue when using the key option though. Permanently logging games to a SG account when the account syncs would mostly work, except it wouldn't account for the Steam refund system.
Comment has been collapsed.
I say that this should have been implemented long ago and most certainly now!
Requiring the winner to do a little legwork is not a problem with me. To this point 100% of the work and effort for giveaways is placed upon those who gain nothing from the giveaway - the gifters. Requiring those entering giveaways to provide proof of refund to SG is not unreasonable and certainly no user should have many giveaways to worry about. Especially considering the question: if you asked for a refund of a game... why do you want to enter a giveaway for that same game?
Comment has been collapsed.
i see one thing dangerous here:
ppl hiding won games here and marking it 'not received' after some time or even seconds after activating, especially some AAA titles. They can tell its being revoked or just not working
Comment has been collapsed.
That's not exactly a new "attack vector", if someone had evil intentions they could simply activate a key on a second account and claim that it's not working and was already used... After all, there's gotta be some level of trust being users.
Comment has been collapsed.
ye but now it will be easier to add games to main account instead of giving it to alt or friend
Comment has been collapsed.
This is true, it's not like this will be massively abused since that would be a red flag if no gift they win had a working key, but I think it's all the little things added up together that you can do with this that make it all up a big problem.
Comment has been collapsed.
I see this as an easier way to accomplish something that was already possible. So much easier that there is a good chance it will be abused a substantial amount.. A person could remove a game from their account and then restore the game to their account once they have won. In theory SG could prevent wins for games that were previously owned if they kept track, but that would also affect refunders and possibly Free Weekend or beta players etc.
Comment has been collapsed.
PSA about this whole "privating games" thingy: they won't show to friends, but will still show up in family sharing. (was thinking of that other thread that talked about adult games, and the feature being potentially useful for parents)
Comment has been collapsed.
This is probably because it's meant to be hidden from external views but not internal ones. Those on family sharing are internal and those who just hide it in their games section can still play them so it still shows in their library. The only proper way would be to remove them completely.
Comment has been collapsed.
https://help.steampowered.com/en/faqs/view/6B1A-66BE-E911-3D98
"Family Games Library
If you’ve opted to only allow access to a subset of the account’s library, your account’s library will include a new group called Family Games. Family Games are the games you’ve chosen to remain accessible while in Family View."
As far as I know, you can use Family View to restrict shared games already. It's not an easy to manage feature, but in theory you should be able to "private" games through sharing already, independent of the new privacy feature.
( Keeping in mind that to set up sharing in the first place you need to log into your main account through the secondary account (meaning you'd then immediately be able to tweak details after), and that Family View seems to only allow games that have been flagged as acceptable (as opposed to not allowing games marked as not acceptable). This means it shouldn't auto-add any new content into sharing once it's added to the main account, instead requiring the parent to log in each time to mark new acceptable content for the child account. )
Basically, the new privacy thing wouldn't affect anything for those using Family View, even if it did affect sharing. It'd only be useful for those sharing without Family View enabled and.. well, sure, it'd be useful then. Maybe Valve'll update it in 10 years, as per their usual feature updating cycle.
(In the meantime, probably just easiest to have a secondary account for your porn games if you're a porn-inclined parent. :P)
Comment has been collapsed.
Yeah, Family View is set up on the end account (that beneficiates from the Family Sharing), so two different features.
(I just thought it'd declutter the shared library from the shovelware I got for cards. lol)
Also, nice pfp. :D
Comment has been collapsed.
Someone said if you try to "gift" a game they own that is private it will say they own it. So there is a way to check?
Comment has been collapsed.
Too small of a problem in my opinion. For a person's odds to manage to achieve such a scam are even less than 0,10%. I don't think someone will risk buying an expensive product just to try his luck on finding someone who hosts a giveaway for it on SG AND winning at the same time.
Comment has been collapsed.
You can instantly buy a game as private and only make it visible on your profile only after you won here...
Comment has been collapsed.
Honestly why is this even a concern? Who cares what you play? Why are you worried if someone sees you play a pervy game? There are much more serious things to worry about in life. I thought site rules were pretty clear, if was not an issue before then why would it be now? Because you can go out and buy furry hentai and hide it? smh
Comment has been collapsed.
Most based comment i've ever read in my 9 years on this community!
Comment has been collapsed.
Hello CG, hello Support, hello community.
Steam has released a new feature to the Beta branch and will soon release it to the public: The ability to individually set owned games as private.
FAQ on private games.
This feature could break SG fundamentally and opens the door for abuse/fraud to cheat gifters out of (legit and valuable) keys, because:
As DiabLXIX pointed out and in my own words, this creates a huge problem! After the update goes live, a user always can hide an already owned AAA game, the API can no longer detect it as owned so the user can enter a GA for it and win it, sell the won key on the grey market or trade it away and unhide the game and sync his account here at SG (and SGTools) so that the API detects the game as owned.
Rinse and repeat or repeat the same for another AAA game.
Result: Kashing!
So my questions to CG and Support are:
Thank you for your input.
Comment has been collapsed.