Offline
I want to bind data to players by player(id, 'steamid')
Can a player, without access to the server, change this data (I mean steamID)?
edited 1×, last 21.02.24 09:12:32 am
Forum
CS2D
Scripts Steamid safe?
Steamid safe?
10 replies
1 
I want to bind data to players by player(id, 'steamid')
Can a player, without access to the server, change this data (I mean steamID)?
I suggest integrating 2FA of sorts if you're planning to use STEAM ids.
Both in 2012 and now, my mail is not accepted for USGN registration. For me, it's easier to register steam, especially since everyone has steam now, than to register another service for just one game.
Either way, we're waiting for an official response.
Mami Tomoe has said is false. The steps Steam takes to protect their users' accounts is more than USGN's. In CS2D, USGN is much more vulnerable than Steam, and especially USGN lacks enough server verifications, and there is a lot of hacked accounts which could be due to most likely using some external programs or exploiting an unknown vulnerability in the game likely when you join the server of the exploiter which could possibly lead to getting your data stolen (there is no evidence on this yet, so its just a possibility). Use SteamID instead, it is much safer. But I'd suggest adding additional server verification checks for the steam account such as through CS2D HTTP get the data from the steam account, and verify the name. (I am unsure about this whether the server gets it directly from Steam, or from the client since I have never checked how it works)
If you're going to use USGN, then consider also adding additional server verifications for it aswell such as verifying the USGN name as it is a known security vulnerability the client sends the USGN name to the server instead of the server getting the USGN account name from official USGN website, so it can easily be modified by any client. I am not sure if
1
player(id, "usgnname")
edited 3×, last 21.02.24 08:30:14 am
Gaios: In 2014-2015, my friend used Cheat Engine to change the USGN ID in the game client and logged into the server with that USGNID. He also enabled cheats and someone recorded him playing with cheats and sent it to the moderators of unrealsoftware.de. In the end it turned out that banned innocent people.I don't really trust the use of USGN IDs after that.
That's why I'm asking if it's possible to change the STEAM ID.
@
Ranu: How do you propose to do steam verification? Where should I send my request? What should be in the request? Which one is safer/more reliable in CS2D is a whole different story though because it depends on the implementation in CS2D.
Like
Gaios said that are... problems... with CS2D's Steam integration. There are vulnerabilities. Unfortunately there is currently no easy way to get rid of those.The U.S.G.N. ID is relatively safe if (and only if!)
sv_checkusgnlogin is set to 1 (which is the default). I assume that in the scenario you described this option was turned off (some server owners do that because it can delay/freeze the join process). But if it's on you can be realtively sure that each ID you retrieve after a completed (!) login actually belongs to that user. Manipulating the ID is complicated and should be nearly impossible under real world conditions. You can do so locally but this won't change the ID on the game server.Whether the IDs are safe enough for your needs depends on the data you plan to bind. If it's just stats and things like that it should be ok. If you plan to give admin permissions and stuff alike then you should probably add another layer of security e.g. a password.
DC: I understood, thanks.Another question, is the traffic transmitted via `msg`, `parse` commands encrypted? I would like to use the `parse` command to authenticate a user as an administrator. (I'm meaning to the `rcon` commands)
Ranu:You misunderstood me.
I was referring to CS2D's identity verification, which was implied based on what the author said and where the topic was created.
If this were to be on the off-topic category, I would've not said what I said.
CS2D's check of U.S.G.N. is a lot more secure because it has been in place for longer, and because @
DC has full access to the game network which allows him to improve the security of the verification (there is sv_checkusgnlogin but no sv_checksteamlogin, that is because CS2D doesn't actually check if the STEAM login is valid, or at least not in a way that is as robust as the U.S.G.N. check).Which is why, I highly recommend to not give staff permissions based on STEAM IDs alone, and either save it for just U.S.G.N. IDs or even better, add a password protection.
By the way, names are not verified (AFAIK) so you can spoof U.S.G.N./STEAM names, so never use those for anything important.
JonyFrosta: No, it's not encrypted. Plain UDP. Only rcon uses (very basic) encryption for the rcon password and the transmitted command. So you could simply use that and then use the rcon-hook to entirely control on your own what happens with the input by letting it return 1.Only downside of this is that you have to use the same password for everyone. Or you could have another hook which changes the rcon password to a user specific one. Or you require an extra password which is then part of the "cmds" string...
So just as others said and to correct what I said, Steam is even more vulnerable in CS2D, but USGN is also quite vulnerable. 100% avoid using Steam for almost anything in CS2D.
Double-verification and creating your account system in your server is the best option.
1