Not even 24 hours after I initially published my post on Steam’s web login shenanigans, I was flooded with comments, suggestions, stories and mails. It absolutely blew me away and I took my time to read through every single response. Since then, I have gained new insights and, in my humble opinion, a pretty conclusive look at what it is that Steam is doing with the passwords of their users. This article aims to fill in the gaps of my original post. Any questions that popped up back then will hopefully be answered for good.
One morning I woke up and found that Telegram implemented a new feature called “People Nearby”. If you choose to share your location publicly on Telegram, you’ll appear in a list for users who are physically close to you. Not only that, but they’ll also see just how far away you are down to the meter. However, you don’t need to share your own location in order to see where people around you are located. These are perfect prerequisites to find out just how accurate this feature really is and, more importantly, whether or not it can be used to find out where nearby Telegram users live.
How do you send a password over the internet? You acquire a SSL certificate and let TLS do the job of securely transporting the password from client to server. Of course it’s not as cut-and-dry as I’m making it out to be, but the gist of it holds true and stood the test of time. This hasn’t always been this way though, and one incredibly popular storefront on the world wide web prefers to add a little extra to this day. I’ll be discussing Steam’s unique method of logging in their users, and go down a deep rabbit hole of fascinating implementation details.