Steam "Offline" status leaks exact login timestamps (Valve: Won't Fix)

>>xmrcat+(OP)
> Their logic: You have to be friends with the user to receive this packet. Therefore, a "trust relationship" exists.

That logic is acceptable. You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.

>>bigyab+61
True, but a tracking pixel is an active attack that leaves a visible trail. This leak is passive surveillance; I can silently graph the sleep cycles of 200 friends without ever interacting with them. Trust shouldn't imply consent for invisible, automated logging.

>>xmrcat+E1
But your friends have accepted your request for friendship and your friends are not expecting you to spy on them correct?

>>werner+l2
It's about when your friends were last signed-in in their account. From my understanding:

    Invisible = Sign-in but do not broadcast the games you are playing (though your profile will show that you signed-in)

    Offline = Stay offline and do not sign-in

>>rvnx+H2
I mean the invisible status is supposed to hide all that, yeah. Why have a "show as offline" if it still shows activity like going online?

>>nemoma+Q2
> Steam "Offline" status leaks exact login timestamps (Valve: Won't Fix)

On the profile of a friend you can see the last time they signed-in to their account:

https://preview.redd.it/can-anyone-beat-my-last-online-frien...

Before it was public, and now restricted (for a couple of years already) to friends only.

I guess this is why they won't change it, since it's a feature.

>>rvnx+h6
Incorrect. "Invisible" is a privacy control, not just a UI filter. While the official client freezes the text, the backend still broadcasts live last_logon and last_logoff Unix timestamps in the ClientPersonaState packet. This leaks exact real-time sleep/wake cycles via the socket, completely bypassing the privacy toggle.

zlacker