Steam client allegedly continues sharing your status with your friends even if you set it ‘Offline,’ report claims — setting is a ‘UI illusion’ and your friends still receive real-time updates when you log on or log off

(Image credit: Future)

An anonymous blog claims that the Steam client continues to broadcast your log-on and log-off times, even if you set your status as “Invisible” or “Offline.” According to the Xmrcat blog, “Setting yourself to ‘Offline’ is basically a UI illusion. You might appear offline to the world, but the backend Connection Manager (CM) continues broadcasting your live activity to the socket. This leak bypasses everything, even ‘Private Profile’ settings. It essentially hands your friends a real-time log of exactly when you sleep and wake up, making your privacy settings effectively useless.”

According to the report, the Steam client apparently broadcasts raw Unix timestamps to all the friends you added on the platform every time your status changes, even if you turned on your privacy settings to hide your information. The only difference with going “Invisible” or “Offline” is that the client on your friends’ PCs and devices will put your profile under the “Offline” list, so they cannot see you, but the client still knows when you last logged in or out.

This might not be an issue for the average user, but those who know their way around programming and development could potentially extract the information from Steam’s backend. It’s possible to intercept the ClientPersonaStaste protobuf message payload, which will potentially reveal your sleep cycle or gaming habits, allowing someone else to track your behavior without your knowledge.

The anonymous user said that they raised the issue, only to be brushed off by the company. “I sent this to Valve on HackerOne,” wrote Xmrcat. “I showed them how I could reconstruct a target’s daily sleep cycles despite them being ‘invisible’ for weeks.” Unfortunately, the ticket was closed as “Informative,” and they were told that the packets are only sent to your friends on Steam, so they’re presuming a pre-existing relationship of trust between the two parties.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

TOPICS

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

8 Comments Comment from the forums

Shiznizzle

Steam brushing issues under the carpet. Anybody surprised?

Solution to this is to not have any "friends" on Steam. Then you cant be followed and tracked by their own platform
Reply
derekullo

Have less untrustworthy friends?
Reply
das_stig

Solution to this is a class action lawsuit by all Steam users for infringing privacy when the control to stop this abuse doe snot work and the company has been informed and refuses to take action.
Reply
Lamarr the Strelok

If you unfriend someone they can't monitor you anymore.How would Steam benefit from knowing your old friend from 5 years ago knows what games you're playing? I don't do any MP so after years of deleting and disabling friends components on Steam on new steam installs , the friends tab doesn't even pop up now when I sign into a new steam install.
It'll get fixed. The site linked is interesting and it's good keeping corps honest,but I think this'll be ok. Maybe a setting in friends or other MP/settings in steam. Maybe more info will be coming.
It's been a while but there are many options for the friends panel last I checked. Maybe it's very simple now.
Reply
ezst036

Is this simply a bug?

Its a bad bug indeed, but I'm just asking. Everybody seems to want to assign a nefarious motive to it.

I did see where a bug report was filed and dismissed, I wonder why that was.

Tom's highlighting this is wonderful. Perhaps if enough people complain the weight of it can be properly impressed upon Valve.
Reply
ohio_buckeye

I guess you could become a hermit and not have friends? Lol. Not really they need to fix that.
Reply
UnforcedERROR

Shiznizzle said:
Steam brushing issues under the carpet. Anybody surprised?

Solution to this is to not have any "friends" on Steam. Then you cant be followed and tracked by their own platform
Yes, you should completely isolate on what is largely a social gaming platform. I mean, I get it, some people play single player games, but STEAM started as an entry point into games like CS 1.6. It's entirely designed to be a multiplayer system.

ezst036 said:
Is this simply a bug?

Its a bad bug indeed, but I'm just asking. Everybody seems to want to assign a nefarious motive to it.

I did see where a bug report was filed and dismissed, I wonder why that was.

Tom's highlighting this is wonderful. Perhaps if enough people complain the weight of it can be properly impressed upon Valve.
Probably laziness, more than a bug.

Valve are large enough that they simply don't care about the end user under most circumstances. It took them the entire lifespan of CSGO + some time in CS2 before they implemented proper consumer protections for things like item scams. Prior to that it was fairly anti-consumer, since Valve profited heavily from the skin market, and thus wouldn't restore user's items regardless of the situation.

The main thing is that Valve have little-to-no competition in the space at present. There are other platforms, but they don't have the reach, which lets Valve operate with impunity (to some degree).

To be fair, I see this as fairly minimal. Most of my friends list are people I know in person. That said, I have a few friends who I could see being actively stalked through loopholes like this, simply by virtue of who they are in the community.
Reply
Notton

Not to discredit the bug, but I don't see the issue?

If you don't want to be found online on steam, just unfriend everyone? seems simple.
Reply

Show more comments