So GoG Galaxy 2.0 wants me to log into Steam via their program. In what Universe is that a good idea? We as a Community have spent hours upon hours to teach people to not log into Steam via other programs or enter their Steam Guard code to avoid their accounts being hacked, then Galaxy comes around and wants us to do exactly that. Yeah, not happening.

This is kind of disappointing. It's another angle of attack, giving someone the opportunity to screw with your accounts.
You guys are probably going to eat me alive, because can't say negative things about GoG, but I am really not a fan of it.

edit

Here is how it should work:

I press connect Steam -> launch default browser with Steam Community login -> I confirm the request to log into GoG with my Steam account -> you pass the token to GoG Galaxy via a Server -> Fin

This way you can get all the data you need, without me entering my credentials into your program.

Pretty sure that is how it works. GOG doesn't save credentials in their database.

They use their own browser, not showing the certificate. That is the issue here. And I am not going to enter my credentials into a site I cannot verify.


https://pbs.twimg.com/media/D-uKf-XWkAIsqXl?format=jpg&name=large

Those are the regular credential screens you get for Steam, or any other store.

You are completely missing the point.

It is understood that there should be a bar displaying where the site is and what certificate the site is displaying, but it's still going to be shown like this. The page that gets displayed is how external apps get granted access to the Steam Community api.

Completely valid point, though.

Most evidently.

This is exactly how Playnite does it. In fact, in the few SS I've seen, Playnite is a big inspiration for a lot of the GOG 2.0 features.

That doesn't make it better and this way it is susceptible to hijacking. You don't even need to fake the green lock to make the user think he is on the correct site. Copy the CSS from Steam, offer the fake login via dns hijacking on the same machine or in the network and you own the account.

Not with two factor auth, right?

What do you need then? The url displaying on the auth window?

Everyone's entitled to their opinion, but I absolutely love the new launcher. This makes it a lot easier for people to log into multiple accounts. Especially those of us who would only like to use GOG as our only desktop client.

I was shocked when i see this kind of integration system. Seemed fishy to use even for GOG because you can't see verification info, even some kind of green lock or something like that.

Took a deep breath and entered my credentials even though it says they won't be saved, i'm still a little bit worried :) This is my opinion as well. I'll try to suggest it as a feedback.

It could be automatic local search for games as well. I was hoping to see that kind of system. This one is both making me uneasy and takes a long time. Took 10+ mins to import all 1871 games from different platforms.

Two - Factor does not help in that case as you only see the fake website : you type in your username and passwort which get sent to the fake server which in turn tries to login on the real steam website. This will trigger to factor authentication, so the fake server will also show the prompt to enter the second factor code. Which you will do, so the second factor gets sent to the fake server which in turn uses it to login. Then the automated script has all it need to change your password, while the fake server shows you a new website, with some random error message so you a distracted while your account is hijacked.

yes, and the information whether the certificate the site delivers is correct.

While I think the op has a valid point and there should be a way for the user to check wether the connection is valid and secure (but not as he describes it, as that would create another wave of support tickets for sure).
The thing is though: nobody cares! Its the same with the millions and millions of Eulas and data "protection" contracts people agree to every day without reading any of it, they just want to get what they were promised, anything else has a very low priority.

Edit: @op: please choose a more "speaking" title, as there is no hint about the real tpoic in it

Thanks for the clearing up!

Bumping this thread. I'd like to see an official response here because the Steam integration is currently insecure and it could be using the officially sanctioned Steam API instead of doing a website login and scraping HTML.

I started a Reddit thread about this earlier today and I posted some analysis there of the source code to the Steam plugin.

Note that this isn't about whether the certificate is shown or not (though that would be nice to be able to actually verify that you're typing credentials into the real Steam website and not a fake). Even if it's known that this is a true Steam website, you are still giving your Steam credentials to a third-party plugin, and letting them do whatever they want on the Steam website using your credentials. While I don't believe the plugin does anything malicious, in theory the plugin could be making purchases on your behalf, posting fake reviews on your behalf, etc.

This is what the Galaxy 2.0 Steam login looks like.

This is what a Steam API authorization looks like.

This is not an authorized way for a third-party to integrate with Steam and could be a violation of the Steam TOS. Valve provides an official way for third parties to integrate with Steam, using OpenID, which is properly locked down so the third party cannot take sensitive actions, only do things like look at your game library and achievements (which I believe is all the plugin really needs to do). Why doesn't the Galaxy Steam integration use the Steam API instead of doing a website login?

(Security aside, the website approach is highly susceptible to breakage, as it actually goes looking through Steam's HTML for information. If Steam updates their UI which they are going to do some day, the plugin will stop working.)