Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Uses Valve Security Bug To Upload Paint Drying Game On Steam (softpedia.com)

Posted by BeauHD on from the Early-April-Fools dept.

An anonymous reader writes: A security researcher found two bypasses in Valve's game review process that eventually allowed him to publish Steam Trading Cards and a full game on the Steam Store called "Watch Paint Dry" (reference to this case from last month involving the British film censors). The game was supposed to be an April Fools' Day prank, but the researcher forgot to set a release date, and [the game] was published on the Steam Store last weekend. Valve has fixed the security bypass in the meantime. These bypasses were extremely dangerous since they allowed anyone to publish games on the Store (possibly containing malware) without a Valve employee ever taking a look at them, or knowing they went through the review process.

48 comments

  1. Explanation for Steam Early Access? by Anonymous Coward · · Score: 0

    I guess a lot of games used that bypass to be on the early access judging by the lack of quality and polish and high price

  2. Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

    Another Windows-only game!

    1. Re:Damnit! by Anonymous Coward · · Score: 0

      Looks like it was hacked together with some edition of RPGMaker, so it inherits those OS restrictions.

    2. Re:Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Is there a modern "game maker" for old-style SCUMM games? I.E. something that will output game data that can be run on the various SCUMM emulators out there?

    3. Re:Damnit! by wardrich86 · · Score: 0

      There's AGS (Adventure Game Studio) that's been around for some time. It's great for creating point-and-click adventure games... and it compiles to native Windows exes, so there's no need for SCUMM or emulation.

    4. Re:Damnit! by Anonymous Coward · · Score: 0

      Was going to say the same thing... AGS was pretty neat when I looked into it long ago (about 13 years IIRC) although I never learned it well enough to go beyond basic scene compositions.

      There were, however, some astounding games released for AGS. My favorite was probably The Uncertainty Machine (http://www.adventuregamestudio.co.uk/site/games/game/162/)

    5. Re: Damnit! by Anonymous Coward · · Score: 0

      Which was exactly what he didn't want.

    6. Re:Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I'm specifically asking for something that will output SCUMM-compatible data so the game isn't platform-dependant. I DO NOT WANT something that will output a useless Windows executable file.

    7. Re:Damnit! by Qzukk · · Score: 3, Informative

      According to http://wiki.scummvm.org/index.... the best way to go about it is to pick an engine that ScummVM supports (SCI, AGI, or Wintermute 2D) and make a game for that engine.

      There's links for each:

      http://wiki.scummvm.org/index....
      http://wiki.scummvm.org/index....
      http://wiki.scummvm.org/index....

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    8. Re:Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 1

      +5 informative, thank you.

    9. Re:Damnit! by wardrich86 · · Score: 1

      Oh! That makes a lot of sense, actually. Glad that other guy had your back :)

  3. Zero-day by orledrat · · Score: 1

    Am I reading this right? That the man who wrote "Watch Paint Dry" is not able to muster the patience to set a release date barely three days into the future? Those zero-day vuln'ers never cease to amaze...

    1. Re:Zero-day by softnewsit · · Score: 1

      I think he just forgot... from what I read, he wasn't expecting it to be so easy :)))

      --
      Go away!
    2. Re:Zero-day by Anonymous Coward · · Score: 1

      This is more impressive than a zero-day exploit. It's a negative-three-day exploit!

    3. Re:Zero-day by Megane · · Score: 2

      So when does it get Nasalus Rift support? It's just not a proper paint watching without the volatiles in the air.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  4. My job description... by __aaclcg7560 · · Score: 1

    Just what we needed... another IT training app.

    1. Re:My job description... by twotacocombo · · Score: 1

      Just what we needed... another IT training app.

      Consider yourself lucky; they haven't painted the walls of my office since I got here 8 years ago. All that eggshell, and I didn't even get to watch it dry.

    2. Re:My job description... by __aaclcg7560 · · Score: 1

      Consider yourself lucky; they haven't painted the walls of my office since I got here 8 years ago.

      My current job is government IT on a large campus. I can't turn around a corner without running into a "paint drying" sign. Painters are always busy around here.

    3. Re:My job description... by AndyKron · · Score: 1

      Eggshell is calming. Have you been calm at work?

  5. Excitement by Anonymous Coward · · Score: 0

    Probably more exciting than what was on German TV over the Easter weekend.

  6. yawn softpedia yawn yawn by Anonymous Coward · · Score: 0

    "Extremely dangerous" because where would we be without the approval of a valve employee?

    1. Re:yawn softpedia yawn yawn by Anonymous Coward · · Score: 0

      I think that's only in the summary, the article doesn't go overboard with any mention of malware threats. Somebody took liberties and added their own opinions in the write-up

    2. Re: yawn softpedia yawn yawn by Anonymous Coward · · Score: 0

      It would have been trivial to include malware though.
      Getting people to download it would have been easy too as he could have named it Half Life 3 if he wanted.
      He didn't have to make a game, be glad a researcher did this and not some ass trying to steal steam accounts.

    3. Re: yawn softpedia yawn yawn by Anonymous Coward · · Score: 0

      And do we know it wasn't trivial for any other approach to include malware? Like, the bog standard usual approach where a valve employee takes a quick look at the thing before rubberstamping it? Or do you just want to cherish the opportunity to bask in the glow of protection from this "researcher" and his nekkid computer security "research"?

  7. Sigh by ledow · · Score: 3, Insightful

    Sigh.

    Validate untrusted data. Don't just rely on a "1" in a form field somewhere to say something is okay.

    I mean... seriously, Valve. I was quite impressed that - as yet - still NOTHING came of your "compromise" where the encrypted credit card database of Steam services was stolen, which means you DID IT RIGHT where countless others couldn't.

    But, seriously? A form field for validation? For God's sake.

    1. Re:Sigh by Anonymous Coward · · Score: 1

      Better than the time you could reset anyone's password by leaving the email confirmation code empty. Valve has a pretty lousy track record with regard to security, especially over the last year.

    2. Re:Sigh by Anonymous Coward · · Score: 0

      Well, the form is not exactly public facing. Supposedly you'd need to have some sort of validation, and access would be anything but anonymous.

      So you would not have to worry about bots banging at it 24/7.

      Still no excuse, as anyone who's compromised someone's developer account could inject some rather malicious content in to steam itself (Which end-users generally trust implicitly)

      Yeah, always sanitize your inputs. Also a good warning about border security tunnel vision - As border security does shit-all once the attacker is inside.

    3. Re:Sigh by Anonymous Coward · · Score: 0

      Those people had it coming. Theres a reason why your sign-on name is separate from your email address . You couldnt do the password reset without knowing that persons sign-on *WHICH IS SUPPOSED TO BE UNIQUE*. So the people who fell victim to that were either stupid to make their email address their sign-on name or the other person could find it on their computer. And when you can find it on that other persons computer its game over for them anyway.

    4. Re:Sigh by parkinglot777 · · Score: 1

      Your argument does not change anything about the flaw in Valve's password reset system. The system should be a fool proof. If it is not a fool proof, then Valve should have made it clear what should be used and what not. If Valve didn't mention anything about it, then it is still Valve's fault regardless how dumb users are.

    5. Re:Sigh by Anonymous Coward · · Score: 0

      >Theres a reason why your sign-on name is separate from your email address

      Early versions of steam only used your email address - having a separate sign-on name was a later addition.

  8. And it has positive reviews! by gQuigs · · Score: 1

    (alright, maybe they are all sarcastic but still)
    He should have submitted it through normal means, who knows how many people would buy it...

  9. Researchers use valve to let off steam. by dsmatthews9379 · · Score: 1

    Nice troll guys, now get back to work.

  10. a walk through on how it was done by pikalek · · Score: 4, Informative

    a walk through on how it was done can be read here: http://gamasutra.com/blogs/Rub... or here: https://medium.com/@rubiimeow/...

  11. Well that's better than by Virtucon · · Score: 1

    Paint Drying? Humm that's gotta be better than Civilization Beyond Earth

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Well that's better than by Gojira+Shipi-Taro · · Score: 1

      I like turn based strategy. I don't have the attention span or reflexes for RTSes any more. Of course I waited for Civ: BE to be on a fairly steep discount, but I quite liked it.

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  12. Considering the level of tech support by the_Bionic_lemming · · Score: 1

    Steam really needs to move away from the "foll your desk" to the "Hire some bosses" because there's no one choosing to work on stuff like testing and tech support.

    I can't get to the store in their steam client, and i've been ignored for over a month and a half now in the tech support ticket.

    So the lack of security is no surprise.

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  13. If anyone would be cool about this its Valve but.. by butchersong · · Score: 1

    I'm pretty sure if I did this there would be even money on me being charged with something. Now, personally I'm all for this sort of thing but there is no way in hell I'd attach my dev account to it with the risk of being labled a hacker and raided by some agency or other. Was this guy somehow already affiliated with Valve beyond having a dev account?

  14. On the bright side. by Anonymous Coward · · Score: 0

    At least this one doesn't require a $500 video card.

    1. Re:On the bright side. by rossdee · · Score: 4, Funny

      However a $500 video card could be used as a paint dryer

  15. "Review process" by Anonymous Coward · · Score: 1

    Come on, now. We all know they don't have one.

  16. Entropy by orledrat · · Score: 1

    Sounds like you've got it twisted, sir. They used Steam and, in the end, they let Valve off. Which is also a waste of energy, of course, but the difference is in the direction of entropy. I can readily illustrate this with a paint analogy: when you watch the stuff turn from wet to dry in front of your own eyes you'll say, ah I'll just turn it back later, but NO sir, this same process is NOT reversible, no matter how long you keep staring.

  17. Interesting Game by Bing+Tsher+E · · Score: 1

    It looks like an interesting game, and it looks like it might have a broad base of interested customers.

    That is based on what I saw when I loaded the game's page on Steam. Two of the games Steam says are "More like this" are:

    Stardew Valley

    and

    Fallout 4.

    Those are rather dissimilar games, for anybody who watches the gaming scene.

  18. I can't wait for the award winning sequel... by PFritz21 · · Score: 1

    "Watching Grass Grow".

    1. Re: I can't wait for the award winning sequel... by PixetaledPikachu · · Score: 1

      Or the sequel after that, "watching the grass grow while waiting for the paint to dry"

  19. Re:If anyone would be cool about this its Valve bu by Robadob · · Score: 1

    There was a Medium post by the author, they stated they gained a steamworks account via a different exploit (which has also been fixed), which they haven't published. https://medium.com/swlh/watch-...

  20. Not surprised by Anonymous Coward · · Score: 0

    I do game dev stuff, and my account has backend access for my publisher - and years ago I noticed something like 'publisher id' in the URL or such, and just thought "hmm, I wonder what would happen if I changed that number?" - lo and behold, when I changed that number I had access to a completely different companies game repository, and could browse around it - and I reported the issue.

    They seem to have changed how this works since, thankfully - but between that, and numerous issues I saw in the Steamworks API - I don't have much faith in their security practices.

    If you read about Valve and their "everyone, artist/mapmaker/etc. should code!" philosophy, it's not a surprise that they have a lot of security issues in their code - their unusual/decentralized approach to development, also suggests to me that nobody is going to focus on security, unless they feel like it.

    They need a dedicated in-house team for finding security issues - and their online platform team needs to be drilled on security issues. There's no excuse for not doing that at this stage, given how big a company they are, and given their customers (game devs and players alike) are risking IP and personal information theft.

  21. Oculus was sort of right by I7D · · Score: 1

    And people were giving Oculus shit for turning off "outside of Oculus" games default. This is why.

    --
    Neil is that you? Yeah yeah, it's me... Neil...