Teen hacker exposes security flaws by publishing unapproved game on Steam

steam
A teenager revealed security holes in Valve’s developer site that allowed him to upload a game about watching paint dry to Steam without any approval.

Ruby Nealon, a computer science student in the U.K., discovered that the Steamworks site’s approval process could be skipped when he uploaded his game Watch Paint Dry, a riveting role-playing adventure in which the gamer watches paint dry.

steam-watch-paint-dry

Nealon detailed his experiment on Medium. First he managed to obtain an account on Steamworks and some in-game trading cards last month. Then he found flaws in the HTML form data that was being sent to Valve’s servers, which allowed him to alter the code into the thinking his cards had been approved by an editor. After that he was able to spoof his session ID number and publish the game.

The student has already been in contact with Valve and the holes were plugged before he went public. It was never his plan to cause any problems for other users or attempt to sell the game to anyone, he added. (And after all, who would buy it?) It was instead always his intention to expose the holes and he has also purposefully omitted some particular details on how he pulled this off.

“Something I’ve definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have ‘Review Ready’ and ‘Reviewed’ as two states of existence for the content,” said Nealon in his advice to Valve and other sites in the future.

“Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a ‘review ticket’ or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content,” he said. “Or just don’t allow users to set the item to ‘Released.’”

Editors' Recommendations

Computing

Windows 10 user activity logs are sent to Microsoft despite users opting out

Windows 10 Privacy settings may not be enough to stop PCs from releasing user activity data to Microsoft. Users discovered that opting out of having their data sent to Microsoft does little to prevent it from being released.
Movies & TV

Sit down and watch some of the best stand-up comedy on Netflix

Feeling a little funny? There are hundreds of hilarious comedy specials out there, and you can't be expected to comb through them all. Lucky for you, we've compiled a list of the best stand-up specials on Netflix.
Gaming

Apple Mac users should take a bite out of these awesome games

Contrary to popular belief, there exists a bevy of popular A-list games compatible for Mac computers. Take a look at our picks for the best Mac games available for Apple fans.
Movies & TV

'Prime'-time TV: Here are the best shows on Amazon Prime right now

There's more to Amazon Prime than free two-day shipping, including access to a number of phenomenal shows at no extra cost. To make the sifting easier, here are our favorite shows currently streaming on Amazon Prime.
Gaming

Get caught up on all things 'Fallout 76,' including recent controversies

Bethesda's Fallout 76 takes the open world series in a new direction. With an emphasis on co-op, survival, and rebuilding a broken world, Fallout 76 is a far different game than its predecessors.
Computing

Intel's discrete graphics will be called 'Xe,' IGP gets Adapative Sync next year

Intel has officially dubbed its discrete graphics product Intel Xe, and the company also provided details about its Gen11 IGP. The latter will include adaptive sync support and will arrive in 2019.
Computing

Intel answers Qualcomm's new PC processors by pairing Core and Atom in 'Foveros'

Intel has announced a new packaging technology called 'Foveros' that makes it easier for the company to place multiple chips together on one package. That includes chips based on different Intel architectures, like Core and Atom.
Computing

Razer’s classic DeathAdder Elite gaming mouse drops to $40 on Amazon

If you're looking to pick up a new gaming mouse for the holidays, Amazon has you covered with this great deal on the classic Razer DeathAdder Elite gaming mouse with customizable buttons, RGB lighting, and a 16,000 DPI optical sensor.
Computing

Intel's dedicated GPU is not far off -- here's what we know

Did you hear? Intel is working on a dedicated graphics card. It's called Arctic Sound and though we don't know a lot about it, we know that Intel has some ex-AMD Radeon graphics engineers developing it.
Computing

Firefox 64 helps keep your numerous tabs under control

Mozilla officially launched Firefox 64 by placing new features into the laps of its users including new tab management abilities, intelligent suggestions, and a task manager for keeping Firefox's power consumption under control.
Computing

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.
Computing

Apple MacBook Air vs. Microsoft Surface Pro 6

The MacBook Air was updated with more contemporary components and a more modern design, but is that enough to compete with standouts like Microsoft's Surface Pro 6 detachable tablet?
Computing

Installing fonts in Windows 10 is quick and easy -- just follow these steps

Want to know how to install fonts in Windows 10? Here's our guide on two easy ways to get the job done, no matter how many you want to add to your existing catalog, plus instructions for deleting fonts.
Computing

Email take-backsies! Gmail's unsend feature is one of its best

Everyone has sent a message they wish they could take back. How great would it be if you could undo that impulsive email? If you're a Gmail user, you can. Here's how to recall an email in Gmail.