No way to tell incorrect captcha from incorrect login

geel9 / SteamAuth

A C# library that provides vital Steam Mobile Authenticator functionality

MIT License

276 stars 102 forks source link

No way to tell incorrect captcha from incorrect login #9

Closed Pwntastic closed 8 years ago

Pwntastic commented 8 years ago

It doesn't look like there's any way to tell the difference between the login results from an incorrect login with valid captcha and a valid login with incorrect captcha. they both return NeedCaptcha.

I realize valve don't have a separate flag on the login response, but the message returned is different between the two.

Valve return "Please verify your humanity by re-entering the characters below." if the login was correct but the captcha was wrong, and "Incorrect login." if the login was wrong and the captcha correct.

geel9 commented 8 years ago

Will attempt to resolve.

charredgrass commented 8 years ago

Can confirm, same happening with me.

shravan2x commented 8 years ago

You can insert the following fixes in UserLogin.cs.

On line 191:

[JsonProperty("message")]
public string Message { get; set; }

On line 108:

if (loginResponse.Message != null && loginResponse.Message.Contains("Incorrect login"))
    return LoginResult.BadCredentials;

Jessecar96 commented 8 years ago

Fixed with #17