Coder exploits Steamworks loophole to release unverified game

Ruby Nealon snuck Watch Paint Dry onto Steam store after his warnings about virtual backdoor went ignored by Valve
Author:
Publish date:
Social count:
0

If watching paint dry sounds like the kind of game that would never make it onto Steam, you’re (half) wrong.

Ruby Nealon, a UK technology security researcher, took it upon himself to prove that there was a way to bypass Valve’s verification checks and launch a game on the Steam marketplace without being approved.

According to the programmer, who has also revealed loopholes for Microsoft and other firms, it was partly meant as an April Fools Day prank – but also served to highlight issues he had reported to Valve to no avail.

Recounting his complex method for sneaking Watch Paint Dry – a self-described “sports-puzzle game that evolves around one mysterious cutscene” – through Valve’s various authorisations, which include ensuring Steam Trading Cards are included, Nealon offered some advice from his experiences.

"Something I've definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have 'Review Ready' and 'Reviewed' as two states of existence for the content,” he suggested. "Or just don't allow users to set the item to 'Released'."

As for the exploit itself, Nealon pointed the finger at Valve’s Steamworks foundation.

“The Steamworks website is majorly AJAX,” he explained. “All the code for the Javascript functions that powers the source is not obfuscated and readable by anyone (authenticated into Steamworks at least).

“There’s some interesting code, but as this game was a proof-of-concept, I stuck to what was relevant and found an interesting javascript function called 'ReleaseGame(appid, data)'. This seemed to make a typical AJAX request (though there wasn’t any authentication in it) to Steam and seems to, as it says, release the app.”

Valve has since closed the backdoor, so don’t expect a Watch Paint Dry sequel anytime soon.

Related