Security: Steam token redaction in logs
GameHub Lite 5.1.8 fixes a logging issue where Steam authentication-related values could appear in diagnostic logs.
In some cases, logs could include fields such as steamToken, refreshToken, or accessToken from Steam login/launch flows.
Publicly posted logs containing these fields should be deleted or redacted.
IMPORTANT
This should go without saying but If you find any security issues, please reach out PRIVATELY.
I have not checked if this issue is still present in recent GameHub versions, already ruined my one day off I was spending with my family by the person who reported this publicly and I do not plan on spending any more time on this.
Changelog
The fix adds centralized log redaction for Steam/auth token fields, Steam QR login URLs, JWT-like token strings, and launch command token arguments before logs are written. This covers the app loggers, JavaSteam logging, and the PC launch-log file writer.
This release also pins local patch builds to apktool 2.12.1
Full Changelog: v5.1.7...v5.1.8