A teenager revealed security holes in Valve’s developer site that allowed him to upload a game about watching paint dry to Steam without any approval.
Ruby Nealon, a computer science student in the U.K., discovered that the Steamworks site’s approval process could be skipped when he uploaded his game Watch Paint Dry, a riveting role-playing adventure in which the gamer watches paint dry.
Nealon detailed his experiment on Medium. First he managed to obtain an account on Steamworks and some in-game trading cards last month. Then he found flaws in the HTML form data that was being sent to Valve’s servers, which allowed him to alter the code into the thinking his cards had been approved by an editor. After that he was able to spoof his session ID number and publish the game.
The student has already been in contact with Valve and the holes were plugged before he went public. It was never his plan to cause any problems for other users or attempt to sell the game to anyone, he added. (And after all, who would buy it?) It was instead always his intention to expose the holes and he has also purposefully omitted some particular details on how he pulled this off.
“Something I’ve definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have ‘Review Ready’ and ‘Reviewed’ as two states of existence for the content,” said Nealon in his advice to Valve and other sites in the future.
“Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a ‘review ticket’ or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content,” he said. “Or just don’t allow users to set the item to ‘Released.’”