PCG Article A new browser-in-the-browser attack threatens Steam users

Makes sense to be cautious. But it's not always a scam. I'm pretty sure Humble Bundle makes you link to your Steam account, and they're definitely legit. But I wouldn't link with anything that I don't already know is legit.
Jebus, no wonder people are falling for this.

I didn't say anything about linking accounts. I said not to enter your username and password from one site on another site. That's not how you link accounts and that's not what Humble has you do.
 
Jebus, no wonder people are falling for this.

I didn't say anything about linking accounts. I said not to enter your username and password from one site on another site. That's not how you link accounts and that's not what Humble has you do.
It's been a long time since I've used Humble Bundle, so I guess I forgot how it works. I thought you did have to enter your username and password there. So how does it work, then?
 
  • Like
Reactions: Pifanjr

Zloth

Community Contributor
Edit: Note this has nothing to do with linking accounts. That's a different process.
No, I think that is this process. When you go to GOG or Humble or whatever, there's a system to securely link your account to your Steam account by logging into Steam. These are websites saying they are doing the same thing so they can enter you into a tournament - which isn't an entirely crazy thing. By the sound of it, though, they are pulling something like the old IFRAME trick where they go through the process but have another website around the edge of the window. You go through the legit system, but their code watches what you do, so they get your password. Then they log into your account, change the password, and give your stuff away to their account.

Your advice is right, though. Do not go linking your Steam account to other websites unless you know the place well.
 
It's been a long time since I've used Humble Bundle, so I guess I forgot how it works. I thought you did have to enter your username and password there. So how does it work, then?
No, I think that is this process. When you go to GOG or Humble or whatever, there's a system to securely link your account to your Steam account by logging into Steam. These are websites saying they are doing the same thing so they can enter you into a tournament - which isn't an entirely crazy thing. By the sound of it, though, they are pulling something like the old IFRAME trick where they go through the process but have another website around the edge of the window. You go through the legit system, but their code watches what you do, so they get your password. Then they log into your account, change the password, and give your stuff away to their account.

Your advice is right, though. Do not go linking your Steam account to other websites unless you know the place well.
You all are not exactly accurate (but I wasn't either because I didn't read the article carefully enough).

Here's how linking works:

If you are logged into Steam (in your browser, not the app) when you go to link your account to a legitimate site, you won't have to do anything to link accounts except for hitting an "agree" button. If you are not logged in, it may redirect you to Steam to log in depending upon how sophisticated the site is. It can actually pull from the app, but some sites don't do that. You probably won't be logged in in your browser because Steam doesn't let you stay logged into the browser version, so you could be redirected.

What you need to do is this: if you get redirected to Steam, shut down that Window and go to Steam directly (in your browser). After logging into Steam, go back and try to link your account again. If the site again tries to get you to log into Steam, there's a problem somewhere, and you need to be extremely cautious. If it is a well-known site, ask yourself how you got there. Did you go directly to that site through a bookmark you know is accurate? Did you get there from the first link in Google? Or did you follow a link from another site or an email or a pop up window? Look carefully at the web address. Ask a lot of questions. If it is not a well-known site, I would not use the link feature at all if it isn't working properly, which is to say that you shouldn't have to log into Steam a second time. And I would never link to something that opened in a pop-up window. I mean, come on. Don't be a rube.
 
Last edited:

ASK THE COMMUNITY