Researcher Uses Valve Security Bug To Upload Paint Drying Game On Steam

An anonymous reader writes: A security researcher found two bypasses in Valve's game review process that eventually allowed him to publish Steam Trading Cards and a full game on the Steam Store called "Watch Paint Dry" (reference to this case from last month involving the British film censors). The game was supposed to be an April Fools' Day prank, but the researcher forgot to set a release date, and [the game] was published on the Steam Store last weekend. Valve has fixed the security bypass in the meantime. These bypasses were extremely dangerous since they allowed anyone to publish games on the Store (possibly containing malware) without a Valve employee ever taking a look at them, or knowing they went through the review process.

Damnit!

[U2xhc2hkb3QgU3Vja3M]

Another Windows-only game!

Re:Damnit!

[Qzukk]

According to http://wiki.scummvm.org/index.... the best way to go about it is to pick an engine that ScummVM supports (SCI, AGI, or Wintermute 2D) and make a game for that engine.

There's links for each:

http://wiki.scummvm.org/index....
http://wiki.scummvm.org/index....
http://wiki.scummvm.org/index....

Sigh

[ledow]

Sigh.

Validate untrusted data. Don't just rely on a "1" in a form field somewhere to say something is okay.

I mean... seriously, Valve. I was quite impressed that - as yet - still NOTHING came of your "compromise" where the encrypted credit card database of Steam services was stolen, which means you DID IT RIGHT where countless others couldn't.

But, seriously? A form field for validation? For God's sake.

a walk through on how it was done

[pikalek]

a walk through on how it was done can be read here: http://gamasutra.com/blogs/Rub... or here: https://medium.com/@rubiimeow/...

Re:On the bright side.

[rossdee]

However a $500 video card could be used as a paint dryer