back

How chat links & history work in Steam

Did you ever encounter long delays when clicking on a link inside a Steam chat? We did. And we fucked up about this and tried to find out. Sometimes your links are even removed or prepended with a linkfilter.

We found out that Steam probably prepends a security warning page to every link inside a Steam chat window but is only active under some circumstances. The prepended URL is as follows:

https://steamcommunity.com/linkfilter/?url=

When entering a blacklisted page, e. g. any URL on directupload.net, it looks like this:

Example

Annoying enough that Steam tries to dictate me which pages may be malicious, it includes an image hosting service inside that list - WTF? Time to find out how this stupidity works.

Technically, Steam prepends every URL per default with this filter (you can easily watch this in memory). When clicking on it inside the chat window, Steam tries to contact the Steam servers and find out if the given URL is on a blacklist. The result can either be "yes" or "no". After the request to the Steam servers is finished, the link opens. If the answer was "not malicious", the prepended filter will be removed. We found out because if you have Steam opened and go physically offline (e. g. by disable networking), every link opens instantly with the filter prepended, even if it would not be prepended if we would be online.

That just means Valve not only knows the links I send/receive (of course they know as I'm using their service) but they know every time I click on a link! (Of course ignoring caching mechanisms etc.)

Further we noticed that if my mate sends me a blacklisted URL and both of us are online, I just receive the "link removed" text in the language of my operating system (german):

22:55 - myfriendsname: {LINK ENTFERNT}

My mate sees the link he sent because it won't get removed if you are the sender.

Seems okay. But wait... If my friend restarts Steam on his machine and the history loads up, the URL he has sent to me is removed, too. And the text is in german language although he has an english operating system. The reason seems to be that Steam stores those history entries in the view of the person who received the message. That makes absolutely sense, since the link removal is handled automatically and correctly. We verified by sending a link from my machine. It was the same, vice-versa.

(This is also the confirmation for previous thoughts of mine because I always wondered why the history in chats needs so long to show up. The reason is, of course: it is stored on the server. That's because my chat partner knows the language of my operating system. A hint from a friend let us look into the mobile (Android) client of Steam. There we noticed another interesting thing: you can scroll up the history to see what's written in the past. WHY IN GODDAMN HELL DON'T WE HAVE THAT FEATURE ON THE DESKTOP CLIENT? You can't earn money implementing this is my guess.)

Sadly, we couldn't figure out an easy way to stop Steam asking their servers for approval and therefore we weren't able to remove the delay. Also, the removal of the link seems to be server side since the original blocked URL is not in the memory of the chat partner at any time.

Gabe, just a suggestion: if you remove URLs server side it means that you inspect all URLs. So, please just start sending a flag connected to the chat message which tells the client immediately if the link will be finally filtered. Then we can at least avoid the delay when clicking a link...

May 28th, 2016