Why the heck does steam show your personal EMAIL when you send a gift?

Heh, I wonder if I have something to do with this.

It used to be that you could email someone a gift, and when you clicked the link in the email, it would automatically accept the gift. However, I discovered that this could be abused to de-anonymize people online: you buy a cheap game as a gift, send the gift email to yourself, and take the link in the email and put it into a hidden automatically-loaded iframe in a public webpage that your target visits. If you target is signed into steam's website, then when they visit the page then the gift will be accepted into their account, and then you can check your account to see who the gift was sent to.

I emailed Valve about this, and shortly afterward they changed it so that when you click the gift link, you're brought to a page where you're told about the gift, who it's from, and there's a button you have to click to accept it. By accepting it, the person listed who gifted it to you gets to know your account. I assume that's what the sentence you quoted is referring to. They could've made it a little clearer though, but the existence of the accept-page at least means that the silent zero-interaction attack is no longer possible.

/r/Steam Thread Parent Link - i.redd.it