A 16 year-old successfully hacks Steam and releases a ‘prank’ video game about watching paint dry, leading fans to ask questions about the platform’s security.
With over 125 million active users and an estimated 75% of all PC gaming sales going through the platform, Steam is responsible for a lot of money and sensitive data. That’s why it was so concerning when earlier this week a 16-year old was able to hack into Steam and publish content on the platform without (Steam platform holder) Valve’s approval.
The 16-year-old, named Ruby Nealon, details his exploits in a blog post on Medium. First he got into the Steamworks Developer Program, (Steamworks is the “backbone for game achievements, DRM, multiplayer, etc…”, says Nealon) and then he made a “basic joke set” of trading cards. Although Valve is meant to review and approve these types of submissions before they can actually show up on Steam, by changing some values on the review form and by looking at the options that the servers sent back (after Nealon put in a bad request), the teen was able to convince the servers to see his submission as “a genuine request from a developer whose trading cards were approved.” As a result, the trading card’s status was set as “released.”
Nealon had more than joke trading cards planned, however, by continuing to mess around with the Steamworks website code (which Nealon says was “readable by anyone”) the teen managed to get an actual game onto the Steam store. That game was Watch paint dry and, as the name suggests, its gameplay entirely consists of watching a wall of paint dry for 45 seconds.
In Nealon’s explanation of why he did it, the teen says that this was merely to test something that he’d been trying to report to Valve about for “the past few months.” Despite this, the vulnerability stayed live “without Valve ever even having a look at it.”
While many Steam users will be glad to know that Valve has since fixed the exploit, others have voiced some serious concerns regarding Steam’s security. Back in December, Steam was the victim of a DoS attack that took it offline and while that appears to have been a coordinated attack on PC gamers’ Christmas celebrations, the fact that a lone teenager (albeit a very gifted one) was able to get an unapproved game onto Steam has sounded more alarm bells for some.
Moreover, Valve has let Nealon keep his Steamworks account to find more bugs and the teenager has found two other major exploits that Valve managed to miss. On top of this, Nealon says that Valve hasn’t offered him a ‘bug bounty’ (a payment which companies often give out as thanks for finding exploits) either, meaning that if there are other bugs out there, bug busters like himself will have little incentive to report them.
Valve has made some big changes to Steam recently including the changes to Steam bundle pricing and a (soft) re-introduction of paid-for user-created content. However, with so many holes being poked in Steam’s security, many are now asking whether or not the company has its priorities in order.