Steam custom clients - security

[noindyfikator]

It's question mostly to @Jorbtar and client devs

Here in The Wizards' Tower devs put custom clients together with Github repository. It's more or less easy to check what the client does with your credentials (a bit more difficult to check if it runs bitcoin mining software ;p)

However in steam I can see a list of custom clients (as workshop items). None of them has link to repository or any other confirmation that's it's safe to use.
Does Loftar check the client code before approval? How can we ensure that client is safe to use when everything we get is just client name and developer steam account.

[EnderWiggin]

Most current forum-based clients are distributed through updater of one sort or another, not compiled by end users, so there's no real way for users to be sure what they get is the same as in the repo linked in the client thread. Steam Workshop can have description with repo link, which would bring it on similar level to the forum clients.

[TheServant]

Most current forum-based clients are distributed through updater of one sort or another, not compiled by end users, so there's no real way for users to be sure what they get is the same as in the repo linked in the client thread. Steam Workshop can have description with repo link, which would bring it on similar level to the forum clients.

i think more or so this concern is mainly well known since loftar has a thread warning about the situation. But steam workshop is a bit more complicated for new users..

[noindyfikator]

Most current forum-based clients are distributed through updater of one sort or another, not compiled by end users, so there's no real way for users to be sure what they get is the same as in the repo linked in the client thread. Steam Workshop can have description with repo link, which would bring it on similar level to the forum clients.

I know this is very beginning of custom clients on steam and workshop pages will change. I just want to add some additional info which should be required before adding custom client. Imo it will be useful for steam users to have the bare minimum of knowledge about custom client they are going to download.

Let's take into consideration Ender Client and ArdClient (just examples)

When I open Ender Client on steam workshop page I can see created by: Ender Wigging.
Steam profile looks solid, steam name match forum user name -> easy to check forum, posts about client, validate user "reputation" etc. Sounds good for me as a user to download the client.

However ArdClient was added by "Naylok". Steam profile is empty and private, there is no forum user with this nickname. UPDATED: NVM, Found the user: memberlist.php?mode=viewprofile&u=166130 however it's account without posts.

[derkami]

Damn you guys are fast. (Or I'm just slow af.)

Question is, do we need to ensure safety in any way?
Other Workshop shit could be malicious aswell.
Also, isn't it like: You can only upload your shit once you get your key from loftar?
If so, that already limits the amount of people able to put Workshop stuff into steam.
Not sure if that will always be the case...

I can't think of any other good mechanism of ensuring that everything is in order tbh.

The real question would be, if someone fucks up on workshop client, does it affect the game itself on steam?

[noindyfikator]

Also, isn't it like: You can only upload your shit once you get your key from loftar?

Right now before the release, you will need to request a Beta key from me to be able to access the game and its workshop, but as soon as the game is launched, this will be open to anyone without any sort of prior approval.

[derkami]

Right, scratch that. Too much information currently to keep track of it.

Which means, it's even harder to actually have a secure workshop...

[APXEOLOG]

There is no way to verify and guarantee that the client does no do anything bad. And providing the github link will not help. As mentioned already, the final distribution can be anything (you can probably add a hash-check and compare it with a public github release hash, but that's too convoluted).

I think loftar should put a disclaimer into the custom client launcher about the potential problems.

[vatas]

There is no way to verify and guarantee that the client does no do anything bad. And providing the github link will not help. As mentioned already, the final distribution can be anything (you can probably add a hash-check and compare it with a public github release hash, but that's too convoluted).

I think loftar should put a disclaimer into the custom client launcher about the potential problems.

I was going to post something similar, glad we had an expert pitch in.

To re-iterate what I've understood: unless you download the source code, check it, and compile it yourself, you're placing 100% trust on whoever packaged the distributable version, whether it's a some kind of launcher or .zip file containing the entire client. Same goes for any kind of update function.

According to a random Reddit comment:

You can upload whatever file you want to the Steam workshop, I've seen people upload entire movies in the Wallpaper Engine section.

The game is responsible for handling mods that don't have the correct format. If the game is bad it will simply execute random code and you will have a bad time.

Most of the time the game will simply say it failed to load the mod, this kinda applies to everything though, if you see an image in your browser that could be a malicious file trying to break the image parser of your browser and end up executing malicious code.

So not really worth it to worry about.

My rather layman understanding is that the most realistic attack-vector is limited to just stealing the passwords you input on the client to log in. Which obviously is still rather bad if you have a 1000 dollar hat collection.

[APXEOLOG]

My rather layman understanding is that the most realistic attack-vector is limited to just stealing the passwords you input on the client to log in. Which obviously is still rather bad if you have a 1000 dollar hat collection.

Well, you can basically do anything in the system, since you'll be running your own code. But it's not really any different with any other game. Half of the Unity games are modded through the Harmony which is basically code injection. And all those mods are distributed through the steam workshop as well.

I think in the end it will be a matter of trust and name behind the client.