Jump to content
McKay Development

I get my account banned when I log in with a QR code

vindisel

By vindisel
in node-steam-session

 Share

Recommended Posts

vindisel Rookie

vindisel

Posted
Posted (edited)

I have seen in other topics that someone gets such bans for monitoring exchanges on phishing accounts.  This

I DO NOT USE THIS ACCOUNT ANYWHERE, NEITHER IN node-steamcommunity, nor in node-steam-user, THIS IS MY PERSONAL ACCOUNT, I ONLY RECEIVE TOKENS, NOTHING ELSE.
I use this example to authorize my account using a QR code and after a couple of hours I get banned with a notification that someone else is using my account, while I don't use any proxy in the code or VPN on my computer. This is not a coincidence, because this has already happened 3 times.
In the notification, steam sends me that a suspicious login was made from MY IP address where I have the authenticator linked.🤣🤣
But in the devices I get the Galaxy S22, maybe that's the problem? I'm scanning the code from the iPhone, maybe Steam finds it suspicious?
Maybe I should stop using QR input, I don't know.… 
But anyway, I think it's worth writing some kind of warning in the documentation about a possible account ban at the QR login. 

main();
async function main() {
	// Create our LoginSession and start a QR login session.
	let session = new LoginSession(EAuthTokenPlatformType.MobileApp);
	session.loginTimeout = 120000; // timeout after 2 minutes
	let startResult = await session.startWithQR();

	let qrUrl = 'https://api.qrserver.com/v1/create-qr-code/?size=200x200&data=' + encodeURIComponent(startResult.qrChallengeUrl);
	console.log(`Open QR code: ${qrUrl}`);

	session.on('remoteInteraction', () => {
		console.log('Looks like you\'ve scanned the code! Now just approve the login.');
	});

	// No need to handle steamGuardMachineToken since it's only applicable to accounts using email Steam Guard,
	// and such accounts can't be authed using a QR code.

	session.on('authenticated', async () => {
		console.log('\nAuthenticated successfully! Printing your tokens now...');
		console.log(`SteamID: ${session.steamID}`);
		console.log(`Account name: ${session.accountName}`);
		console.log(`Access token: ${session.accessToken}`);
		console.log(`Refresh token: ${session.refreshToken}`);

		// We can also get web cookies now that we've negotiated a session
		let webCookies = await session.getWebCookies();
		console.log('Web session cookies:');
		console.log(webCookies);
	});

	session.on('timeout', () => {
		console.log('This login attempt has timed out.');
	});

	session.on('error', (err) => {
		// This should ordinarily not happen. This only happens in case there's some kind of unexpected error while
		// polling, e.g. the network connection goes down or Steam chokes on something.
		console.log(`ERROR: This login attempt has failed! ${err.message}`);
	});
}
Edited by vindisel
Ian Newbie

Ian

Posted
Posted

Hi there,

 

Created an account and replying to say I'm also experiencing this. Starting Sunday, I logged in using a QR code that I scanned with the Steam Authenticator app. I was then flagged for "compromised account". I went through their flow to reset my password and figured all was good so I logged in again with QR code. Flagged again. This time they did a big reset and I even had to remove and re-attach my Steam Authenticator. I tried one more time and my account got flagged and that's where I'm stuck right now. It's a big pain because it prevents me from joining friends.

tl;dr: something does seem broken when using QR codes to log in

 

@vindisel I found in the github why your EAuthTokenPlatformType.MobileApp shows up as [Samsung] Galaxy S22: https://github.com/DoctorMcKay/node-steam-session/blob/a4300c954c7dc0e4b15c6ff033e4484c70837a0f/src/AuthenticationClient.ts#L417

Basically anybody using .MobileApp as their type gets considered to be an S22. My original login method was also using .MobileApp.

I'm currently trying to change .MobileApp to .WebBrowser to see if that does anything, because since I'm running my code on a server it's not actually a MobileApp. Maybe Valve is cracking down on "wow there's a lot of people doing bot things from S22s"? I'm also going to provide a userAgent from my current browser, in case that helps avoid this automatic flagging.

vindisel Rookie

vindisel

Posted
  • Author
Posted
34 minutes ago, Ian said:

Hi there,

 

Created an account and replying to say I'm also experiencing this. Starting Sunday, I logged in using a QR code that I scanned with the Steam Authenticator app. I was then flagged for "compromised account". I went through their flow to reset my password and figured all was good so I logged in again with QR code. Flagged again. This time they did a big reset and I even had to remove and re-attach my Steam Authenticator. I tried one more time and my account got flagged and that's where I'm stuck right now. It's a big pain because it prevents me from joining friends.

tl;dr: something does seem broken when using QR codes to log in

 

@vindisel I found in the github why your EAuthTokenPlatformType.MobileApp shows up as [Samsung] Galaxy S22: https://github.com/DoctorMcKay/node-steam-session/blob/a4300c954c7dc0e4b15c6ff033e4484c70837a0f/src/AuthenticationClient.ts#L417

Basically anybody using .MobileApp as their type gets considered to be an S22. My original login method was also using .MobileApp.

I'm currently trying to change .MobileApp to .WebBrowser to see if that does anything, because since I'm running my code on a server it's not actually a MobileApp. Maybe Valve is cracking down on "wow there's a lot of people doing bot things from S22s"? I'm also going to provide a userAgent from my current browser, in case that helps avoid this automatic flagging.



Yes, I think Valve bans accounts if the MobileApp login differs from this MobileDeviceProperties data.
It may be necessary to update the code every time and set up-to-date phone data so that there are no bans. I don't know how this is possible at all, even if my IP address is the same as on all devices where I have ever logged into my account. It looks like complete idiocy. 

interface ConstructorOptions {
    // ...

    mobileDeviceProperties?: MobileDeviceProperties
}

interface MobileDeviceProperties {
    mobileUserAgent?: string,     // default 'okhttp/3.12.12'
    mobileClientVersion?: string, // default '777777 3.0.0'
    deviceFriendlyName?: string,  // default 'Galaxy S22'
    osType?: number,              // default EOSType.AndroidUnknown
    gamingDeviceType?: number,    // default 528 (unknown significance)
}
vindisel Rookie

vindisel

Posted
  • Author
Posted

Well, I'll try to log in with this data, I don't know what will come of it. 

{
  websiteId: 'Mobile',
  headers: {
    'user-agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1',
    cookie: 'mobileClient=ios; mobileClientVersion=3.10.0'
  },
  deviceDetails: {
    device_friendly_name: 'iPhone 13 mini',
    platform_type: 3,
    os_type: -600,
    gaming_device_type: 528
  }
}

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...