Another Steam user gave me a Steam wallet code. Can my PC/Steam account get hacked by redeeming that code?
134 Answers
It is possible. One of the methods of account recovery is providing to the Steam support team a game key code or wallet funds code that has previously been redeemed on the account (as per here).
If you redeem the code then the scammer can provide that code to Steam support, as well as proof of purchase, and gain access to your account.
2Possible attack scenario:
- Evil person creates a game with a very well-hidden malware. Steam's quality control is very lenient, but not non-existent. So it at least needs to look like a game. The malware needs to be a custom made one so it does not get detected by any known virus scanner (Valve does check every submission using virus scanners). So there is considerable development effort involved.
- Evil person pays the $100 listing fee to Steam, using a bank account which can not be traced back to them.
- Evil person uses personal information acquired by identity theft to complete the Steam paperwork, so the game gets listed.
- Evil person sends you a free Steam key for their "game", hoping you install and run it.
In order to pull this off, Evil Person would need to pay $100, wait several weeks for the Steam Direct process to complete and commit identity theft to avoid getting caught. And it does not scale, because when they send keys to too many users and one of them finds out it's malware and reports it, the game gets depublished and they need to start from the beginning. So it would only be worth it if you are a high-value target and they are sure they can convince you to actually run the game.
3If the Steam Wallet Code you received is of the correct format (which, IIRC, Steam prints in the redeem-wallet-code-dialog) and if you enter it manually into Steam then using that code is safe no matter where it comes from. Steam may or may not accept it, but there's no risk of being hacked that way.
You should, however, not copy-and-paste that code into Steam, since a manipulated code could in theory contain a character sequence that is invisible to you but that exploits a weakness in Steam to hack the application (and by extension possibly your Steam account as well). This "attack vector" is not very likely, but it is theoretically possible.
You can't have any damage for redeeming a Steam code. As the keys are generated by Steam itself, in order to provide an unique and non repeatable key. Imagine that "GTA V" provide to Steam the key "1234" and "Mass Effect" also provides the key "1234"; Steam would enter in a conflict to redeem one game or another, that's why Steam manages the keys.
This means that the worst scenario is that Steam will return to you a message like: "this is not a valid Steam Key" and that's it, no one get hurt.
Regarding the "Pastebin" link it's a public repository to share code. But before clicking, hover the mouse on the link to see in the status bar the real URL, as it might be different.
3
