This 16-year-old hacked into Steam to promote his rather silly game on its system
A 16-year-old hacker exploited vulnerability in Steam and went on to publish his 45-second-long ‘game’ onto Steam without a single person at Valve setting eyes on it.
Ruby Nealon, who created the game called Watch Paint Dry, is a game about watching paint dry. It made its way onto Steam without going through Greenlight or acquiring an elusive Valve stamp-of-approval. Thanks to Nealon, the vulnerability he exploited has now been fixed.
He helped them fix this backdoor into Steam, which was his agenda from the start.
“I have been in contact with Valve who have now fixed the vulnerability”, wrote Nealon at the end of his post. “TL;DR?—?I was responsible for Watch paint dry. Getting caught was part of my plan. It’s just a prank, bro!”
However, Nealon reported his incredible exploit on Medium. So, how did he manage to publish his game on Steam? To start with, he acquired a Steamworks account through unspecified means. Nealon then manipulated a javascript function on Steam by adding his app ID and session ID from his trading cards to get Watch Paint Dry to show up on the store. Once done, ‘Watch Paint Dry’ was in Steam’s New Release Section.
“Something I’ve definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have “Review Ready” and “Reviewed” as two states of existence for the content. Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a “review ticket” or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don’t allow users to set the item to “Released”.
