Security researcher uses flaw in Steam platform to sneak in "watching paint dry" game

Valve has moved to patch vulnerability in the online games store
Valve has moved to patch vulnerability in the online games store

A 16-year-old boy has managed to plant a 45-second long “game” about watching paint dry on the Steam in a last-ditch bid to get Steam's owner, Valve, to respond to a vulnerability he flagged up.

The precocious security researcher Ruby Nealon made the game to draw attention to a massive vulnerability affecting the digital storefront. In a post on Medium, Nealon said he managed to acquire a games developer account for the site in February, through social engineering. This allowed him to start looking through the website to find security problems with Valve in order to alert it to these issues.

After managing to fool his way through a three-step process developers take to get their games on the site, Nealon published the 45-second game “Watching Paint Dry”. Nealon did this by assembling a store page, fake Steam trading cards and approval from a Valve editor who didn't exist.

To do this, Nealon sifted through HTML code. He inputted his game's App ID and the session ID he obtained from the trading cards and managed to get his non-game onto the storefront “new releases” section over the weekend without anyone from Valve being able to acknowledge or approve the “game”.

Nealon said that the lesson to be learned from this was that when working with user-generated content that first needs to be approved, “do not have ‘Review Ready' and ‘Reviewed' as two states of existence for the content.”

“Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a ‘review ticket' or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don't allow users to set the item to ‘released',” he said.

Jovi Umawing, Malware Intelligence Analyst at Malwarebytes, told SCMagazineUK.com said that the gaming industry is one of the many industries that have not taken security into consideration when developing their products and services.

“As such, flaws in sites that are public-facing will remain open unless they're caught early, or reported bugs are filed by their users. Steam are more proactive than many in this field, and may eventually look into complementing their security hall of fame with a bug bounty program,” she said.

“Additionally, their user security page is quite comprehensive and lists a wide range of threats to individual accounts, and what steps gamers can take to secure themselves. These include the Steam Guard authenticator and restrictions on in-game item trading.”