Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Uses Valve Security Bug To Upload Paint Drying Game On Steam (softpedia.com)

Posted by BeauHD on from the Early-April-Fools dept.

An anonymous reader writes: A security researcher found two bypasses in Valve's game review process that eventually allowed him to publish Steam Trading Cards and a full game on the Steam Store called "Watch Paint Dry" (reference to this case from last month involving the British film censors). The game was supposed to be an April Fools' Day prank, but the researcher forgot to set a release date, and [the game] was published on the Steam Store last weekend. Valve has fixed the security bypass in the meantime. These bypasses were extremely dangerous since they allowed anyone to publish games on the Store (possibly containing malware) without a Valve employee ever taking a look at them, or knowing they went through the review process.

32 of 48 comments (clear)

  1. Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

    Another Windows-only game!

    1. Re:Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Is there a modern "game maker" for old-style SCUMM games? I.E. something that will output game data that can be run on the various SCUMM emulators out there?

    2. Re:Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I'm specifically asking for something that will output SCUMM-compatible data so the game isn't platform-dependant. I DO NOT WANT something that will output a useless Windows executable file.

    3. Re:Damnit! by Qzukk · · Score: 3, Informative

      According to http://wiki.scummvm.org/index.... the best way to go about it is to pick an engine that ScummVM supports (SCI, AGI, or Wintermute 2D) and make a game for that engine.

      There's links for each:

      http://wiki.scummvm.org/index....
      http://wiki.scummvm.org/index....
      http://wiki.scummvm.org/index....

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    4. Re:Damnit! by U2xhc2hkb3QgU3Vja3M · · Score: 1

      +5 informative, thank you.

    5. Re:Damnit! by wardrich86 · · Score: 1

      Oh! That makes a lot of sense, actually. Glad that other guy had your back :)

  2. Zero-day by orledrat · · Score: 1

    Am I reading this right? That the man who wrote "Watch Paint Dry" is not able to muster the patience to set a release date barely three days into the future? Those zero-day vuln'ers never cease to amaze...

    1. Re:Zero-day by softnewsit · · Score: 1

      I think he just forgot... from what I read, he wasn't expecting it to be so easy :)))

      --
      Go away!
    2. Re:Zero-day by Anonymous Coward · · Score: 1

      This is more impressive than a zero-day exploit. It's a negative-three-day exploit!

    3. Re:Zero-day by Megane · · Score: 2

      So when does it get Nasalus Rift support? It's just not a proper paint watching without the volatiles in the air.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  3. My job description... by __aaclcg7560 · · Score: 1

    Just what we needed... another IT training app.

    1. Re:My job description... by twotacocombo · · Score: 1

      Just what we needed... another IT training app.

      Consider yourself lucky; they haven't painted the walls of my office since I got here 8 years ago. All that eggshell, and I didn't even get to watch it dry.

    2. Re:My job description... by __aaclcg7560 · · Score: 1

      Consider yourself lucky; they haven't painted the walls of my office since I got here 8 years ago.

      My current job is government IT on a large campus. I can't turn around a corner without running into a "paint drying" sign. Painters are always busy around here.

    3. Re:My job description... by AndyKron · · Score: 1

      Eggshell is calming. Have you been calm at work?

  4. Sigh by ledow · · Score: 3, Insightful

    Sigh.

    Validate untrusted data. Don't just rely on a "1" in a form field somewhere to say something is okay.

    I mean... seriously, Valve. I was quite impressed that - as yet - still NOTHING came of your "compromise" where the encrypted credit card database of Steam services was stolen, which means you DID IT RIGHT where countless others couldn't.

    But, seriously? A form field for validation? For God's sake.

    1. Re:Sigh by Anonymous Coward · · Score: 1

      Better than the time you could reset anyone's password by leaving the email confirmation code empty. Valve has a pretty lousy track record with regard to security, especially over the last year.

    2. Re:Sigh by parkinglot777 · · Score: 1

      Your argument does not change anything about the flaw in Valve's password reset system. The system should be a fool proof. If it is not a fool proof, then Valve should have made it clear what should be used and what not. If Valve didn't mention anything about it, then it is still Valve's fault regardless how dumb users are.

  5. And it has positive reviews! by gQuigs · · Score: 1

    (alright, maybe they are all sarcastic but still)
    He should have submitted it through normal means, who knows how many people would buy it...

  6. Researchers use valve to let off steam. by dsmatthews9379 · · Score: 1

    Nice troll guys, now get back to work.

  7. a walk through on how it was done by pikalek · · Score: 4, Informative

    a walk through on how it was done can be read here: http://gamasutra.com/blogs/Rub... or here: https://medium.com/@rubiimeow/...

  8. Well that's better than by Virtucon · · Score: 1

    Paint Drying? Humm that's gotta be better than Civilization Beyond Earth

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Well that's better than by Gojira+Shipi-Taro · · Score: 1

      I like turn based strategy. I don't have the attention span or reflexes for RTSes any more. Of course I waited for Civ: BE to be on a fairly steep discount, but I quite liked it.

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  9. Considering the level of tech support by the_Bionic_lemming · · Score: 1

    Steam really needs to move away from the "foll your desk" to the "Hire some bosses" because there's no one choosing to work on stuff like testing and tech support.

    I can't get to the store in their steam client, and i've been ignored for over a month and a half now in the tech support ticket.

    So the lack of security is no surprise.

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  10. If anyone would be cool about this its Valve but.. by butchersong · · Score: 1

    I'm pretty sure if I did this there would be even money on me being charged with something. Now, personally I'm all for this sort of thing but there is no way in hell I'd attach my dev account to it with the risk of being labled a hacker and raided by some agency or other. Was this guy somehow already affiliated with Valve beyond having a dev account?

  11. Re:On the bright side. by rossdee · · Score: 4, Funny

    However a $500 video card could be used as a paint dryer

  12. "Review process" by Anonymous Coward · · Score: 1

    Come on, now. We all know they don't have one.

  13. Entropy by orledrat · · Score: 1

    Sounds like you've got it twisted, sir. They used Steam and, in the end, they let Valve off. Which is also a waste of energy, of course, but the difference is in the direction of entropy. I can readily illustrate this with a paint analogy: when you watch the stuff turn from wet to dry in front of your own eyes you'll say, ah I'll just turn it back later, but NO sir, this same process is NOT reversible, no matter how long you keep staring.

  14. Interesting Game by Bing+Tsher+E · · Score: 1

    It looks like an interesting game, and it looks like it might have a broad base of interested customers.

    That is based on what I saw when I loaded the game's page on Steam. Two of the games Steam says are "More like this" are:

    Stardew Valley

    and

    Fallout 4.

    Those are rather dissimilar games, for anybody who watches the gaming scene.

  15. I can't wait for the award winning sequel... by PFritz21 · · Score: 1

    "Watching Grass Grow".

    1. Re: I can't wait for the award winning sequel... by PixetaledPikachu · · Score: 1

      Or the sequel after that, "watching the grass grow while waiting for the paint to dry"

  16. Re:If anyone would be cool about this its Valve bu by Robadob · · Score: 1

    There was a Medium post by the author, they stated they gained a steamworks account via a different exploit (which has also been fixed), which they haven't published. https://medium.com/swlh/watch-...

  17. Oculus was sort of right by I7D · · Score: 1

    And people were giving Oculus shit for turning off "outside of Oculus" games default. This is why.

    --
    Neil is that you? Yeah yeah, it's me... Neil...