S.H.G._Nackt · @SHG_Nackt

16th Feb 2014 from TwitLonger

Steam's VAC now reads all the domains you have visited and sends it back to their servers hashed.

Decompiled module:

What it does: Goes through all your DNS Cache entries (ipconfig /displaydns)
Hashes each one with md5.

Reports back to VAC Servers
So the domain would be 1fd7de7da0fce4963f775a5fdb894db5 or would be 107cad71e7442611aa633818de5f2930 (Although this might not be fully correct because it seems to be doing something to characters between A-Z, possible making them lowercase) Hashing with md5 is not full proof, they can be reversed easily using rainbowtables. So they are relying on a weak hashing function.

You don't have to visit the site, any query to the site (an image, a redirect link, a file on the server) will be added to the dns cache. And only the domain will be in your cache, no full urls. Entries in the cache remains until they expire or at most 1 day (might not be 100% accurate), but they dont last forever.

We don't know how long this information is kept on their servers, maybe forever, maybe a few days. It is probably done everytime you join a vac server. It seems they are moving from detecting the cheats themselves to computer forensics. Relying on leftover data from using the cheats. This has been done by other anticheats, like punkbuster and resulted in false bans. Although I am not saying they will ban people from simply visiting the site, just that it can be easily exploited.

Valve is probably building profiles of their users, maybe to catch cheaters, maybe to show you games in the shop that you would be more interested in, and maybe they are selling this data to a 3rd party for tons of cash.

So hey Valve. What are you doing?

Reply · Report Post