Hackers stealing CSGO skins through iOS vulnerability, Steam API

By Nick Johnson

|

Nov 29, 2020

Reading time: 4 min

Most serious skin collectors and players have thier Steam account protected by two-factor authentication, but it turns out that having the securty feature on Steam isn’t enough. The hijacking of two high-profile accounts in the past year show that a user’s inventory isn’t always as secure as they think it to be.

On November 28, professional CSGO player Paytyn “Junior” Johnson woke up to find that almost his entire inventory had been cleaned out. He’d been the victim of one of two possible attacks that allowed hackers to access not only his Steam account, but also bypass Steam Guard, the platform’s two-factor authenticatior located on a user’s phone. But thanks to a simple backup option, Junior may have lost out on a hefty number of skins.

Hackers access pro’s Steam account, steal skins

Hackers are rumored to be able to gain access to Steam accounts using the backup images of iPhones, allowing them to empty an account’s inventories through a pretty serious flaw. The entire purpose 2FA is to have a second chance to regain control of a compromised account, so users are partly to blame as well. Here’s how it works.

Many players use Apple’s iCloud storage to store photos and contacts, but they can also decide to back up both apps and their settings to the cloud as well. If a player chooses to backup the Steam App, they’re also saving both their log-in credentials, incuding the username and password, as well as Steam Guard itself.

Blog post image

If the player includes applications in their backups, then it’s a fairly trivial process for a hacker that has access to the iCloud account to download this backup. Once there, several utilities exist where users can generate two-factor codes on the desktop instead of from mobile, a move that completely defeats the purpose of 2FA. What happens then is fairly simple, as the hacker uses those three pieces of information to empty the account, either to third-party websites or to a middleman account. Junior eventually recovered his account, but said he hasn’t received any of his lost skins as of yet.

Why do you need Steam Guard and other two-factor authentication?

As of 2016, Valve announced that with 2FA in place and the proliferation of third-party sites, they would no longer regenerate skins for players who had them stolen. Valve’s concern was that not only could a user pretend to be robbed, eventually getting the “stolen” skins back from a second account or the money from its sale, but that third-party skin sites were making a killing while the developer watched money move outside the Steam ecosystem. Since Valve takes a 15% cut of every CSGO item sold on the Steam Marketplace, so Valve obviously prefers to keep everything in-house.

How do Steam accounts get stolen?

There are three main ways. The first would be if a user’s email address and password were stolen. With those pieces of information, a hacker could reset the email connected to the account. Steam recommends that players never “use the same password for both their email and their Steam Account.”

Blog post image

The second way is through the process mentioned above, where the hacker has access to both the Steam Guard backup and the user’s email and password. The third way is through malware. Keyloggers and viruses are some of the main ways hackers can access the data needed to clean out an account.

Will Valve return stolen skins to thier owners like Stewie2k?

There’s still hope for Junior’s skins. Team Liquid’s Jake “Stewie2k” Yip had his own account hacked in a similar way during the 2019 StarLadder Berlin Major. Luckily, Valve restored access to the pro’s account and returned to him his skins, so it’s possible that Junior will be just as lucky. Even CSGO observer DJ “Prius” Kuntz revealed that he was a victim of a similar attempt during a stint at IEM Katowice.

There are an entire host of scams used on Steam to trick people out of thier items, so it’s best to follow the simple rules of the internet to keep things safe.

  • If it’s too good to be true, it probably is.
  • Never share your password with anyone. 
  • Enable 2FA on all ways into your account like an email address, phone, and Steam itself.

Finally, enabling Steam Family Sharing is an odd way to work around the issue, but it requires players to enter another four digit pin in order to do anything through the Steam Service. Prius reccomendeds it as a way to further lock down an account, but it need to be enabled correctly to function. Users can find out more about Family Sharing and how it can protect them through Steam’s FAQ.