A 16 Year old teen hacked Steam and then posted the ‘prank’ video game about watching paint dry, which raised concerns among users about the platforms’s security.
16 Year Old Teen Hacks Digital Distribution Platform, Steam
Steam is having over 125 Million users and it accounts 75% of all PC Gaming sales through their platform. It is accountable for a lot of money and sensitive data. This is the reason, users raised concerns about security when 16 year old teen was successfully able to hack into Steam and post the content without the authorization of Steam Platform Holder.
The 16 year old teenager namely Ruby Nealon explains his exploits in a blog post on Medium. At first, he used Steamworks Developer Program, as he says that it is the “backbone” for game achievements, DRM, Multiplayer etc, then he made a “basic joke set” of trading cards. Valve is intended to review and approve these type of submissions before making it live on Steam as during approval it changes some values on the review form and then inspecting at the options which the servers sent back. However, Nealon was able to induce the servers to mark his submission as “a genuine request from a developer whose trading cards were approved.” After being able to do this, the trading cards status was put as “released”.
Nealon says that the Steamworks website code was readable by anyone as he managed to get an actual game on the Steam Store. The game had title as ‘Watch paint dry’ and in the entire video it shows drying of the wall paint for 45 seconds.
Nealon also explained that why he did it, he says that this was only to test something which he tried to report to valve since “the past few months.” However, vulnerability still continued “without Valve ever even having a look at it.”
Many users will be happy to know that Valve has resolved this exploit, other raised concerns about the Steam’s security. Valve has allowed Nealon to Keep his Steamworks account in order to find more bugs. Nealon, also discovered major exploits that Valve missed. Nealon claims that Valve didn’t rewarded him with “Bug Bounty” for discovering the exploits.