Forum

> > CS2D > Scripts > Steamid safe?
Forums overviewCS2D overview Scripts overviewLog in to reply

English Steamid safe?

10 replies
To the start Previous 1 Next To the start

old Steamid safe?

JonyFrosta
User Off Offline

Quote
is the steamid check safe?
I want to bind data to players by player(id, 'steamid')
Can a player, without access to the server, change this data (I mean steamID)?
edited 1×, last 21.02.24 10:12:32 am

old Re: Steamid safe?

Mami Tomoe
User Off Offline

Quote
Steam ids can be more easily spoofed by hackers when compared to USGN ids.

I suggest integrating 2FA of sorts if you're planning to use STEAM ids.

old Re: Steamid safe?

JonyFrosta
User Off Offline

Quote
I'd prefer to use steamid.
Both in 2012 and now, my mail is not accepted for USGN registration. For me, it's easier to register steam, especially since everyone has steam now, than to register another service for just one game.

Either way, we're waiting for an official response.

old Re: Steamid safe?

Ranu
User Off Offline

Quote
What @user Mami Tomoe has said is false. The steps Steam takes to protect their users' accounts is more than USGN's. In CS2D, USGN is much more vulnerable than Steam, and especially USGN lacks enough server verifications, and there is a lot of hacked accounts which could be due to most likely using some external programs or exploiting an unknown vulnerability in the game likely when you join the server of the exploiter which could possibly lead to getting your data stolen (there is no evidence on this yet, so its just a possibility).

Use SteamID instead, it is much safer. But I'd suggest adding additional server verification checks for the steam account such as through CS2D HTTP get the data from the steam account, and verify the name. (I am unsure about this whether the server gets it directly from Steam, or from the client since I have never checked how it works)
If you're going to use USGN, then consider also adding additional server verifications for it aswell such as verifying the USGN name as it is a known security vulnerability the client sends the USGN name to the server instead of the server getting the USGN account name from official USGN website, so it can easily be modified by any client. I am not sure if
1
player(id, "usgnname")
gets the USGN name from the USGN website, or uses the cached USGN name that it gets from the clients when they first join. So I'd suggest performing HTTP checks for it aswell.
edited 3×, last 21.02.24 09:30:14 am

old Re: Steamid safe?

Gaios
Reviewer Off Offline

Quote
It looks like it's not safe to talk about that here, but my recommendation is: don't use steam id if you want to increase the security level (ONLY IN CS2D). I won't explain it in details, but just trust me. USGN is much safer.

old Re: Steamid safe?

JonyFrosta
User Off Offline

Quote
@user Gaios: In 2014-2015, my friend used Cheat Engine to change the USGN ID in the game client and logged into the server with that USGNID. He also enabled cheats and someone recorded him playing with cheats and sent it to the moderators of unrealsoftware.de. In the end it turned out that banned innocent people.
I don't really trust the use of USGN IDs after that.
That's why I'm asking if it's possible to change the STEAM ID.

@user Ranu: How do you propose to do steam verification? Where should I send my request? What should be in the request?

old Re: Steamid safe?

DC
Admin Off Offline

Quote
In general I would assume that Steam accounts are much safer than U.S.G.N. / UnrealSoftware.de accounts. That's because Steam definitely has more clever account protections in place and also offers 2 factor auth etc.

Which one is safer/more reliable in CS2D is a whole different story though because it depends on the implementation in CS2D.

Like user Gaios said that are... problems... with CS2D's Steam integration. There are vulnerabilities. Unfortunately there is currently no easy way to get rid of those.

The U.S.G.N. ID is relatively safe if (and only if!) cs2d cmd sv_checkusgnlogin is set to 1 (which is the default). I assume that in the scenario you described this option was turned off (some server owners do that because it can delay/freeze the join process). But if it's on you can be realtively sure that each ID you retrieve after a completed (!) login actually belongs to that user. Manipulating the ID is complicated and should be nearly impossible under real world conditions. You can do so locally but this won't change the ID on the game server.

Whether the IDs are safe enough for your needs depends on the data you plan to bind. If it's just stats and things like that it should be ok. If you plan to give admin permissions and stuff alike then you should probably add another layer of security e.g. a password.

old Re: Steamid safe?

JonyFrosta
User Off Offline

Quote
@user DC: I understood, thanks.
Another question, is the traffic transmitted via `msg`, `parse` commands encrypted? I would like to use the `parse` command to authenticate a user as an administrator. (I'm meaning to the `rcon` commands)

old Re: Steamid safe?

Mami Tomoe
User Off Offline

Quote
@user Ranu:
You misunderstood me.
I was referring to CS2D's identity verification, which was implied based on what the author said and where the topic was created.

If this were to be on the off-topic category, I would've not said what I said.

CS2D's check of U.S.G.N. is a lot more secure because it has been in place for longer, and because @user DC has full access to the game network which allows him to improve the security of the verification (there is cs2d cmd sv_checkusgnlogin but no cs2d cmd sv_checksteamlogin, that is because CS2D doesn't actually check if the STEAM login is valid, or at least not in a way that is as robust as the U.S.G.N. check).

Which is why, I highly recommend to not give staff permissions based on STEAM IDs alone, and either save it for just U.S.G.N. IDs or even better, add a password protection.

By the way, names are not verified (AFAIK) so you can spoof U.S.G.N./STEAM names, so never use those for anything important.

old Re: Steamid safe?

DC
Admin Off Offline

Quote
@user JonyFrosta: No, it's not encrypted. Plain UDP. Only cs2d cmd rcon uses (very basic) encryption for the rcon password and the transmitted command. So you could simply use that and then use the cs2d lua hook rcon-hook to entirely control on your own what happens with the input by letting it return 1.

Only downside of this is that you have to use the same password for everyone. Or you could have another hook which changes the rcon password to a user specific one. Or you require an extra password which is then part of the "cmds" string...

old Re: Steamid safe?

Ranu
User Off Offline

Quote
I recently got a chance to take the first look at the Steam verification, and there is almost nothing
So just as others said and to correct what I said, Steam is even more vulnerable in CS2D, but USGN is also quite vulnerable. 100% avoid using Steam for almost anything in CS2D.
Double-verification and creating your account system in your server is the best option.
To the start Previous 1 Next To the start
Log in to reply Scripts overviewCS2D overviewForums overview