Steam Hacker Says More Vulnerabilities Will Be Found (arstechnica.com)

← Back to Stories (view on slashdot.org)

Steam Hacker Says More Vulnerabilities Will Be Found (arstechnica.com)

Posted by msmash on Friday April 1, 2016 @05:40AM from the pointing-holes dept.

An anonymous reader shares an article on Ars Technica: The teenager who grabbed headlines earlier this week for hacking a fake game listing on to Valve's Steam store says there are "definitely" more vulnerabilities to be found in the popular game distribution service. But he won't be the one to find them, thanks to what he sees as Valve "giv[ing] so little of a shit about people's [security] findings." Ruby Nealon, a 16-year-old university student from England, says that probing various corporate servers for vulnerabilities has been a hobby of his since the age of 11. His efforts came to the attention of Valve (and the wider world) after an HTML-based hack let him post a game called "Watch paint dry" on Steam without Valve's approval over the weekend."It looks like their website hasn't been updated for years," Nealon told Ars. "Compared to even other smaller Web startups, they're really lacking. This stuff was like the lowest of the lowest hanging fruit."

37 comments

Min score:

Reason:

Sort:

/. you shouldn't let by Anonymous Coward · 2016-04-01 05:44 · Score: 0

that slashvertisement stuff rankle. The titles are not humorous.
1. Re: /. you shouldn't let by Anonymous Coward · 2016-04-01 06:55 · Score: 0
  
  I'm honestly confused by this and some other posts.
  What's being advertised? The 16 year old?
2. Re: /. you shouldn't let by Anonymous Coward · 2016-04-01 07:48 · Score: 0
  
  It is "April Fools Day" when people (and lame websites) make a lot of dumb jokes.
Watching Paint Dry by rvw14 · 2016-04-01 05:45 · Score: 5, Funny

I am disappointed to find out that this is not a real game. I was just imagining an 8 hour marathon multiplayer session with hundreds of players and how awesome that would be.
1. Re:Watching Paint Dry by Anonymous Coward · 2016-04-01 05:48 · Score: 0
  
  Just when I was about to setup a twitch stream for this game, I find out it's fake.
  Sad panda
2. Re:Watching Paint Dry by subanark · 2016-04-01 05:58 · Score: 2
  
  Go play the original, Desert Bus, nothing beats in terms of testing dedication and perseverance in the face of utter boredom and your ability to not sleep.
3. Re:Watching Paint Dry by Gr8Apes · 2016-04-01 08:21 · Score: 1
  
  It's just a cheap copy of the original:
  Watching Grass Grow
  which actually has some exciting interactions when the sheep come along
  
  --
  The cesspool just got a check and balance.
4. Re:Watching Paint Dry by drew_kime · 2016-04-01 08:30 · Score: 1
  
  I almost want to get that. Almost.
  
  --
  Nope, no sig
5. Re:Watching Paint Dry by ioev · 2016-04-01 09:34 · Score: 1
  
  I can guarantee that "Twitch" would play it.
6. Re:Watching Paint Dry by Gravis+Zero · 2016-04-01 12:30 · Score: 1
  
  i know, right? all i could think was "finally, a game i can win against all the 14-year-olds who torment me! \o/"
  
  --
  Anons need not reply. Questions end with a question mark.
Lock'im up right away by Anonymous Coward · 2016-04-01 05:48 · Score: 0

Guilty, because "hacker".
Looking on the bright side... by edxwelch · 2016-04-01 05:56 · Score: 1

With all those exploitable vulnerabilities at least it will easier for indies to get their games green lit than it normaly is.
No. by Anonymous Coward · 2016-04-01 06:08 · Score: 0

This 16 year old kid calls himself a "security researcher" as though he's been alive long enough to call himself an expert in anything but jacking off to mom's Victoria Secrets magazines.
Also, 16 and in University? I call bullshit.
1. Re:No. by PopeRatzo · 2016-04-01 06:24 · Score: 1
  
  Also, 16 and in University? I call bullshit.
  I was in university at 17, and there were several freshmen 16 years old (University of Chicago).
  
  --
  You are welcome on my lawn.
2. Re:No. by Moridineas · 2016-04-01 07:01 · Score: 1
  
  That explains a lot ;-)
3. Re:No. by RogueyWon · 2016-04-01 07:36 · Score: 1
  
  Skipped the last year of primary school here in the UK after my parents (rightly) decided it was a waste of time and as a result went to university at 17. I knew a few others who did the same, as well as one who went at 16 (but she was frankly weird).
  Don't think it did me any harm, but having to worry about getting IDed pretty much anywhere except the college bar (which just assumed everybody was 18+) for the first few months kinda sucked.
4. Re:No. by PopeRatzo · 2016-04-01 11:34 · Score: 1
  
  Sure, whatever you say.
  University of Chicago is a little different. They admitted a student in 2003 who was 12 years old, who went on to get his PhD at 18 and his MD at 21.
  https://youtu.be/SsOs-26lhEQ
  Every year, there are still a handful of incoming freshmen who are under 18. Back in my day, there were usually more. I was one. My last research assistant before I retired was 19 when she worked for me and 16 when she was admitted.
  
  --
  You are welcome on my lawn.
April Fools or not by H3lldr0p · 2016-04-01 06:08 · Score: 0

I really do wonder how many games got past the team responsible for the curation of the Greenlight games. Could this explain the pure crap that has been published over the course of the past few years?
Don't get me wrong, I feel like Greenlight has been a net positive for the indie game community. I just wonder if Valve had started with stronger guidance and participation we wouldn't be having these sorts of questions happening.
1. Re: April Fools or not by Anonymous Coward · 2016-04-01 06:42 · Score: 0
  
  It would have got many refund requests. Refund requests flag games. Flagged games got investigated. And eventually pulled. Along with their devs. Social engineering is not real engineering.
The kid's right. by Tobias.Davis · 2016-04-01 06:10 · Score: 0

So here's a fun test I tried. I work at a corp that has a public wifi hotspot (wanderingwifi). I disconnected my system from ethernet and connected it to the public hotspot. Steam loaded up the splash page right inside of the store page window. I did some further investigation, the browser is detected as chrome 47 under windows 8. Being as the current version of chrome is 50 I can only imagine the exploits that are available for the version that's used for steam. Good luck getting GabeN to do anything about it though; valve customer service is a disgrace to the IT industry.
SLASHVERTISEMENT: Slashdot April 1 announcement by Anonymous Coward · 2016-04-01 06:14 · Score: 0

We are experiencing some issues with our advertisement detection.
Sorry for the inconvenience. During this unpredictable day, we suggest reading Science Daily. We will have the problem fixed tomorrow.
Not surprised by fredgiblet · 2016-04-01 06:55 · Score: 3, Interesting

I'm totally unsurprised by the assertion. I honestly wonder where the hell Valve's money goes. They must be making it hand over fist, yet they can't fix their CS even though they keep promising to and they haven't made much for new games in forever. We need to get someone to infiltrate Valve and do an expose on their inner workings.
1. Re:Not surprised by Anonymous Coward · 2016-04-01 07:48 · Score: 0
  
  All Valve's money is tied up in development of HL3, no doubt.
2. Re:Not surprised by vux984 · 2016-04-01 08:01 · Score: 1
  
  I honestly wonder where the hell Valve's money goes.
  Steam Controller
  Streaming play from other computers
  Steambox
  Streaming spectating from friends
  Recent VR support
  You may not be interested in any of that, I'm not interested in most of it myself, but I'd say Valve has clearly been doing a lot of development work for the platform.
  I recently pickedup a steam controller, and have been impressed with it overall. Its not going to replace keyboard and mouse for shooters for me; and its not going to replace my xbox 360 for twinstick games like binding of isaac... but it definitely has a niche where it is best in class. And I'm finding I'm reaching to it more and more to use as my couch-mouse for my HTPC, especially with its most recent updates.
3. Re:Not surprised by fredgiblet · 2016-04-01 08:07 · Score: 1
  
  True, but they seem to be ignoring the basic functionality of their marketplace, which is where the money for all that comes from. It's like if Amazon had let their storefront stagnate 5 years ago in favor of JUST doing their special projects. I dunno. Maybe I'm wrong, maybe those are all money-making projects, but I doubt it.
4. Re:Not surprised by vux984 · 2016-04-01 08:26 · Score: 1
  
  I disagree. They've added the curators, and the explore your queue feature. They've done some work with 2 factor, and completely revamped the marketplace for trading cards etc. They added the refunds.
  They did something with GoG I think to enable some sort of cross-chat / cross-play? I think.
  As for the "basic functionality" of the store front... I'd say it doesn't need much attention... it works. And it doesn't need a team of "UX monkeys" rewriting the user interface every week.
5. Re:Not surprised by the_Bionic_lemming · 2016-04-01 08:29 · Score: 1
  
  Maybe it works for you - but in the steam app I can't get to the store front, and support has ignored me for almost two months now despite me posting daily the issue is still there.
  
  --
  _ _ _ Go for the eyes Boo! GO FOR THE EYES!
6. Re:Not surprised by vux984 · 2016-04-01 09:00 · Score: 1
  
  On one device or on any device?
  On one account or on all accounts?
  I will say their support is insanely hard to reach and tedious to deal with, especially for one off issues that aren't widespread.
7. Re:Not surprised by Anonymous Coward · 2016-04-01 09:25 · Score: 0
  
  I'd just like an old style usenet "google" group where I can ask questions of other users. Some guy is letting me use his Total War Medieval II and the steam site manual page is blank.
  Plus I'd like a bit of hacking on it.
8. Re:Not surprised by aliquis · 2016-04-01 15:53 · Score: 1
  
  True, but they seem to be ignoring the basic functionality of their marketplace, which is where the money for all that comes from. It's like if Amazon had let their storefront stagnate 5 years ago in favor of JUST doing their special projects. I dunno. Maybe I'm wrong, maybe those are all money-making projects, but I doubt it.
  What's the problem with their marketplace?
  One thing they have been doing there is trying to increase the safety for misused accounts so it will be harder to sell or give-away someone elseÂs stuff.
9. Re:Not surprised by marsu_k · 2016-04-01 21:56 · Score: 1
  
  I recently pickedup a steam controller, and have been impressed with it overall. Its not going to replace keyboard and mouse for shooters for me; and its not going to replace my xbox 360 for twinstick games like binding of isaac... but it definitely has a niche where it is best in class.
  Out of curiosity (haven't tried it myself), what niche is that? What kind of games? By the looks of it I'd say not fighting games at least.
10. Re:Not surprised by vux984 · 2016-04-02 07:26 · Score: 1
  
  The steam controller has moved a LOT of games from games i would only play with keyboard and mouse at a desk to games I will also happily play on the couch with a steam controller. Its not so much better at anything (yet) that I literally won't play the game without the steam controller; but it IS so much better at "mouse and keyboard on the couch" that there are now a whole slew of games I can happily play from the couch with the SC. I'd say that's its niche right now.
  Games such as CivV, Xcom2, Endless Space, Sword of the Stars:The Pit, Space Hulk, Shadowrun, Fallout, Witcher, etc.
  I've also heard its good for non-competitive FPS like Deadspace, Portal2, Bioshock Infnite, Saints Row...where it is supposedly much better than thumbsticks to use pad+gyro to aim. But I haven't tried that yet.
Valve time by MrLint · 2016-04-01 07:04 · Score: 1

I have no doubt Valve will fix this right after they have revamped their support portal.
In releated news... by SeaFox · 2016-04-01 07:09 · Score: 2

Fisherman report there are more fish in the sea other than those they have already caught.
Steam community websites full of privacy leaks too by Anonymous Coward · 2016-04-01 11:46 · Score: 0

Not really security issues, but more examples of bad programming:
http://steamprivacy.tumblr.com...
It is Valve by Anonymous Coward · 2016-04-01 23:03 · Score: 0

Valve are hardly known for Good Code in the slightest.
Source, even at the time, was a terrible engine.
Source, even after updates to it for years, is still bested by engines that came out the same time it did.
An engine that takes an age to load anything and even longer to unload it.
The supposed "great for modding" is the worst lie since barely any mods came out for it because the modders gave up, and the ones that did come out usually never came out for years, came out buggy, and end up getting abandoned. (there are more mods for KILLING FLOOR, a small FPS at best)
Steam itself, what is literally a web browser, a chat client and file manager, is somehow still terrible after all these years.
Still thrashing hard drives, the update system is the worst update system I can recall using, interface is an inconsistent mess (despite their best efforts to tidy it up in recent years)
I used to always say the actual Steam website itself was the best thing Valve has ever made.
Even though this occurred , that is still true. The rest of Valvecode is horrific.
I pray to the computing gods that Source2 isn't a hacky piece of crap like Source became.
Why, why did Valve have to become the "saviours" of PC gaming? Why couldn't it have been literally any other company? Why them?