We outsmarted CSGO cheaters with IdentityLogger

Original Article ↗ Hacker News Discussion ↗

Overall reaction to IdentityLogger approach

  • Many find the hidden fingerprinting both impressive and “disgusting.”
  • Some argue it’s acceptable in the context of cheaters who deliberately ruin others’ experiences.
  • Others worry this shows how easy it is to repurpose browser‑style tracking for games.
  • A few suggest platform‑level support (e.g., Steam exposing stronger fingerprint APIs), but note this would quickly become part of the cheat arms race.

VGUI browser, security, and implementation details

  • Several comments highlight how insecure the old VGUI browser was: shared cookies across Steam accounts, session theft, and even RCE‑like exploits via server‑served JavaScript.
  • Valve eventually removed it, breaking tools like IdentityLogger and in‑game music players but closing a major attack vector.
  • Some point out that HTTPS traffic isn’t a real barrier for determined attackers, but is enough to hide from most “script kiddies.”

Privacy, legality, and GDPR/ePrivacy debates

  • Some see the hidden cookie as a clear tracking mechanism that would violate EU rules today.
  • Others argue fraud/cheat prevention could be a “legitimate interest” / “user‑centric security cookie” not requiring explicit consent, though disclosure would still be expected.
  • There is disagreement over whether “long‑lived” (10+ years) cookies can ever count as “limited duration.”

Effectiveness, limits, and the arms race

  • Consensus: technique is useful mainly to raise the cost of ban evasion and push cheaters elsewhere, not to “solve” cheating.
  • Critics note it’s trivial for technically skilled cheaters to defeat once known (e.g., delete a file, reinstall, or sandbox).
  • Discussion emphasizes the broader cat‑and‑mouse: kernel‑level cheats, DMA devices, AI/YOLO‑based aimbots, external overlays, and server‑side statistical detection.
  • Some argue modern anti‑cheat is fundamentally defeatable; focus should shift to plausibility modeling, reputation systems, and human review rather than absolute prevention.

IP bans and collateral damage

  • Heavy debate on IP‑based banning:
    • Pro: cheap, easy, effective against low‑effort cheaters; widely used in practice.
    • Con: CGNAT, dynamic IPs, and shared networks mean frequent collateral bans and possible denial‑of‑service against innocents.
  • Suggested mitigations: combine IP with other identifiers, expire bans, use whitelists or cheater‑only “hell” queues, and accept some unfairness on small private servers.