Steam Info Security

[martyj]

So I use leadwerks's Steam library for pulling the user information for who is playing the game.

 

I'm working on moving the player data from their local hard drive to pulling it down via a REST API. That way I can have high scores, and better persistence of data.

 

How secure is it to rely on the information coming from steam?

 

I'd like to eliminate the ability for users to have to register for my game to play it online. But is there a compromise to security for this ease of use? Can we trust that Leadwerks will tell us which Steam account is currently up accurately? How easy would this be to fake?

 

Thanks,

Marty

[Rick]

I think it's more about YOUR rest api as I could call it and pass whatever I want. If you don't have them register then you never truly know what you're getting.

[gamecreator]

How easy would this be to fake?

That's one question (that I don't know the answer to). The other is: would someone want to risk getting VAC banned for hacking your game?

[Rick]

That assumes you are using that system. Marty just said he's looking to save off high scores and other user data. He didn't say it was a multiplayer game with servers players are playing on.

[martyj]

I guess Josh might be the only one who could answer the question.

 

Does Steamworks work off of local socket requests to the local computer?

 

Edit:

 

 

I found some info. Apparently after getting a user's CSteamId you can verify its authenticity https://partner.steamgames.com/documentation/auth

 

@Josh do you do this already? Or is this something I need to implement?

[gamecreator]

I'm a little confused. Don't we call Steam commands directly (except the initialize and shutdown)? If so, what would you need Leadwerks for in this?

[martyj]

@gamecreator

 

I believe Josh just queries the Steam for who is currently logged in. I don't think Josh is then verifying that the logged in user, is really who Steam says they are.

 

So anyone could potentially have an app running on the same local port as Steam does, that responds to the same calls, and fakes a logged in user. Without some sort of backend verification of tokens you can't really know if a user is who "Steam" says they are.

[gamecreator]

Leadwerks incorporates the Steam SDK but it doesn't provide its own command set for it. So when you use a command like SteamUser()->GetSteamID() to get a user's Steam ID, you're getting information directly from Steam, not from Josh/Leadwerks. It's between you and Steam to do what you want to make yourself feel comfortable with the information you're provided, like the link you provided above to verify authenticity. I hope that helps clear things up.

 

By the way, this is all assuming you're talking about the Professional version and C commands. If this is something else then ignore all this.