Vulnerability Management

Hacker exploits vulnerabilities to sneak bogus paint-drying game onto Steam store

A white-hat hacker reportedly sneaked his own video game onto Valve's online Steam store without undergoing the usual approval process, in order to point out alleged vulnerabilities in the system.

The term game must be used loosely in this instance. Titled “Watch Paint Dry,” the game was described on Steam as a “puzzle-sports game where you watch paint dry.” While the premise itself is as boring as the name suggests, the methodology behind how it ended up on Valve's list of new releases is the exact opposite.

In a published blog post appearing on Medium, the hacker, who goes by the alias “Ruby,” claims he intended no harm. “This is no more than a prank and was merely to test something I've been trying to report to Valve for the past few months—the ability to get any game you want on Steam, without Valve ever even having a look at it.”

Ruby claimed he was able to bypass Valve's usual vetting process for submitted games by exploiting vulnerabilities on Valve's Steamworks internal publishing platform—vulnerabilities he said he had previously reported to Valve, to no avail. These flaws have now been patched, the hacker noted. SCMagazine.com has reached out to Valve for comment.

Ruby did not offer insight into how he had access to Steamworks in the first place—nor how he created the 45-second-long paint drying simulation that was the essence of the game—but he did explain how he fraudulently got the game published. First, he created some trading cards for the game in Photoshop.

Valve is supposed to review these cards as well as other details like backgrounds before they are released, but Ruby found a workaround by pulling up the source code behind the company's release status form and changing values for the session ID and editor account ID. This “bad request” changed the form to include a full list of options with their assigned values. Ruby plugged in some of the new values into the form fooled the server into thinking the trading cards were approved.

To get the game itself approved, Ruby took advantage of unobfuscated Ajax code for JavaScript functions that power the Steamworks platform. Ruby pinpointed one particular JavaScript function called “ReleaseGame(appid, data)” that would release his game if he plugged in his app ID as well as the earlier session ID from the trading card release request.

The author suggested that companies like Valve in the future make sure that when a game or app is up for evaluation, that the review have “an audit trail by giving each piece of content a ‘review ticket' or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don't allow users to set the item to ‘Released.'”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.