I know this sounds unlikely, but I’ve seen a Chinese trading platform that actually works this way: I only need to sign in and link my account through Steam’s browser-based sign-in inside their app, and then it can perform automated trade-up contracts. This isn’t fake trade—in my inventory history, real trade-up contract entries appeared, even though I never authorized a desktop Steam Client login, and Steam did not show any new PC as an authorized device (for example, in the Steam Mobile app’s device / machine list). Does anyone know how this could be implemented? Thanks.
Update (packet capture): I also inspected the app’s traffic. In the payload the app sends back to the server for steamRefresh_steam, the sub field is still [web, derive, renew] (i.e., it does not look like a typical “full Steam Client session” fingerprint).
