It's been a pretty crazy 2 weeks for us over at CSFloat...

On April 3, various Steam API endpoints that facilitate the verifying of trades on P2P marketplaces were removed and caused havoc in the community.

What emerged from this was one of two approaches as a mitigation:

  1. Steam Session hijacking (ie. via a mobile app) - typically taken by "large" marketplaces that need to scale (and by some not-as-nice actors)

  2. Manual "Escrow" System with Support Team resolving disputes - typically taken by marketplaces that have the resources to manually resolve disputes at the sake of higher costs

Unfortunately, 1) has privacy issues for the long-term health of the P2P economy. While the access the site has to your account is typically short-lived (expires in 24h tokens), it still could conceivably perform other unintentional actions on your Steam account during that time.

And while 2) has the appeal of being more privacy-centric, it is incredibly difficult to offer this kind of system in especially the digital gaming world where fraud is everywhere. It requires scaling your support team, but more importantly, still struggles to allow a user to provide irrefutable proof that they did in-fact send an item to the buyer correctly while preserving privacy.

And this is why we spent this time working on a system that can combine the privacy-centric approach of a pure "escrow" system while also enabling irrefutable evidence when a seller sends an item.

So... how does it work?

As a seller, the main change is that you need to use the CSFloat extension on Chrome (and Firefox in the future) when sending a trade offer. This used to be optional in order to prevent mistakes, but in order to provide a better experience for tracking sales on the site, it is now required.

We'd like to emphasize that the CSFloat extension does not send any private session details about your Steam account such as a session token, your login details, etc... it only provides meta information to improve the seller/buyer experience on the site.

Beyond that, most of the process is as automatic as it was before! It is possible that in some rare cases, a buyer is able to dispute their purchase, and in that case we have the ability for you to provide an irrefutable proof of delivery without sacrificing your privacy -- automatically.

We're committed to open source for over 8 years, and you can view the extension's code on GitHub

Why not just hijack my Steam login?

While this is certainly tempting (and similar to what the largest P2P marketplace in the industry does), we wanted to do everything that we can to avoid this.

Back when CSFloat Market launched in 2020, we didn't actually collect "API Keys" to verify trades for users for the same reason – to collect as little detail as we needed to verify trades scalably.

Having access to your full Steam login session allows a malicious attacker a higher attack surface than a Steam Web API key would. While you may trust your favorite marketplace with your login session, it sets a poor long-term precedent when multiple sites may have your session.

Going Forward

We're sorry for the long downtime, but are excited to offer an even more privacy-centric verification system than before.

This system is designed to be resilient going long into the future – as long as you can trade skins, you should be able to use CSFloat.


Step7750 & Perplex

Co-Founders of CSFloat