Researcher Uses Valve Security Bug To Upload Paint Drying Game On Steam

An anonymous reader writes: A security researcher found two bypasses in Valve's game review process that eventually allowed him to publish Steam Trading Cards and a full game on the Steam Store called "Watch Paint Dry" (reference to this case from last month involving the British film censors). The game was supposed to be an April Fools' Day prank, but the researcher forgot to set a release date, and [the game] was published on the Steam Store last weekend. Valve has fixed the security bypass in the meantime. These bypasses were extremely dangerous since they allowed anyone to publish games on the Store (possibly containing malware) without a Valve employee ever taking a look at them, or knowing they went through the review process.

Sigh

[ledow]

Sigh.

Validate untrusted data. Don't just rely on a "1" in a form field somewhere to say something is okay.

I mean... seriously, Valve. I was quite impressed that - as yet - still NOTHING came of your "compromise" where the encrypted credit card database of Steam services was stolen, which means you DID IT RIGHT where countless others couldn't.

But, seriously? A form field for validation? For God's sake.