Security Issue: Able to bypass Private & Friends Only lobby settings by directly joining the lobbyId

Describe the bug If a lobby is set to private or friends only, anyone can still join it if they have the lobbyId. And since lobbyId really only has 5-6 of its 18 characters changing based on when it was made, it is fairly trivial to guess lobbyIds.

To Reproduce

1. Create a lobby with “SteamMatchmaking.CreateLobbyAsync(10);”
2. Set the lobby to private “lobby.SetPrivate();” or friends only “lobby.SetFriendsOnly();”
3. Get the lobbyID “lobby.Id.ToString();”
4. On another user that has not been invited or added as a friend by the host, call “SteamMatchmaking.JoinLobbyAsync(lobbyId);” or preferably create a local lobby var “new lobby(lobbyId);” and call “lobby.Join()” on it.

Calling Code

Outlined above.

Expected behavior The join game request on the 2nd user should fail because they don’t have permission.

Desktop (please complete the following information):

• OS: Windows 11
• Unity: 2020.3.30f1

Additional context I’m fairly certain this an issue with with base C++ Steamworks SDK but I wanted to post it here for awareness. This issue is compounded by the lack of ability to securely kick a user from a lobby.

Theoretically, a malicious user could modify their client to refuse local calls to kick itself from a lobby and exploit the above flaw to join any lobby they desired. So there is nothing a host could do to get rid of them, short of closing their own lobby.

Please let me know if I missed a detail anywhere that solves this issue. I am trying to find a solution to this problem for my game.