bp9801 Posted March 30, 2016 Posted March 30, 2016 Steam is a typically heavily curated service, where Valve has direct say in what is and is not available in its store. However, a hacker recently discovered an exploit that enabled him to put a game directly on Steam without having Valve give it the go ahead. The game, Watch Paint Dry, appeared Sunday night and caused many people to freak out, saying Valve no longer had any quality control for the Greenlight games. The only issue is Watch Paint Dry was never on Greenlight and neither will it ever be, since its creator made it quickly in RPG Maker just to showcase the exploit (the "game" lasts under one minute). The creator, a 16-year-old kid, managed to get access to Steamworks, the publishing platform for Steam games, and set about looking for exploits. He whipped up Watch Paint Dry, some trading cards, and took advantage of an exploit that let him be seen as someone from Valve. This let the game pass directly through onto Steam, after some coding tweaks, of course. The initial plan was to have the game appear on April 1, yet it "released" earlier than he expected. It didn't have a price attached to it, just it simply showed up in the store. No approval process, no review by Valve, just the game immediately on Steam. Since this was meant as a showcase of an exploit that Valve may not have been aware about, it has since been patched and the kid has been in contact with Valve over what he was able to do. It may help Valve check for any other potential exploits that were vulnerable, and at least this way it was not a malicious hack, just to show what can be done if any loopholes in the code exist. You can check out the source below for the full details on the exploit, with some of it potentially bringing a facepalm over what Valve left exposed. Source: Medium Back to original news post Share this post Link to post Share on other sites More sharing options...
ClayMeow Posted March 30, 2016 Posted March 30, 2016 Valve rewards hackers for finding vulnerabilities, as long as they don't act maliciously, so this kid could be seeing a pretty nice check for very little work... and maybe even a job in the future. Share this post Link to post Share on other sites More sharing options...
Waco Posted March 30, 2016 Posted March 30, 2016 Valve rewards hackers for finding vulnerabilities, as long as they don't act maliciously, so this kid could be seeing a pretty nice check for very little work... and maybe even a job in the future. To be fair, any decent code review *should* have caught this. Basic premise in design is to never trust the client. Share this post Link to post Share on other sites More sharing options...
ClayMeow Posted March 30, 2016 Posted March 30, 2016 Valve rewards hackers for finding vulnerabilities, as long as they don't act maliciously, so this kid could be seeing a pretty nice check for very little work... and maybe even a job in the future. To be fair, any decent code review *should* have caught this. Basic premise in design is to never trust the client. Very true. I never really thought to check what language Valve was using. I'm a JS programmer...if I knew they utilized js/ajax, maybe I could have collected that "bounty" Share this post Link to post Share on other sites More sharing options...
Recommended Posts