Watch Paint Dry is a 45-second-long game about watching paint dry. It was made by a 16 year-old guy who’s not even a game developer. Despite not going through Greenlight or otherwise getting Valve’s holy lambda of approval, it got onto the Steam store.
This might sound like the beginning of a horror story — an odious new era of shit bubbling up onto Steam — but it has a happy ending. The game was both a prank and a test of a massive vulnerability in Steam, a last-ditch effort to get Valve’s attention after they failed to respond to multiple separate emails. Its creator, Ruby Nealon, chronicled the whole thing in a Medium post. In short, he managed to obtain a Steamworks (tools that let developers prep their games for Steam, basically) account in February through, as he puts it, “social engineering”, and he started poking around in its innards.
To get Watch Paint Dry onto Steam, Nealon found that he’d have to get through a three-step approval process: first, his store page (with required features like trading cards) would have to be approved, then he’d have to submit a final build of his game and then he’d get the option to launch. It didn’t take Nealon long to realise that he could spoof the service into believing his game’s hastily slapped together trading cards had already gotten a once-over from a Valve editor. He then found that he could look at the source underlying trading cards, put in a request for information that didn’t exist, and receive a list of options that would actually yield functional results. With that information and approval from a non-existent Valve editor, his game was “ready” for Steam.
After that, it was simply a matter of digging through code for the command to release a game, then inputting his game’s app ID and the session ID he got from the trading cards. That was all it took: Watch Paint Dry appeared in Steam’s “new releases” section, albeit sooner than planned (Nealon originally planned to “release” the game on April 1). It took some tinkering, and Nealon had to know what he was looking for, but it was, in the grand scheme of things, not a particularly difficult process.
When people first saw the game on Steam, they were pissed. Speaking during an interview earlier today, Nealon said, “I saw people begging me, ‘How can I get this game?’ and things like, ‘You’re the reason the gaming industry’s gone to shit, you fucking scumbag scamming developer!’” Nealon told me he was always planning to go public with how he did it. His plan was not to get a shitty game onto Steam and rake in ill-gotten bucks that could’ve been claimed by other, more legitimate paint-drying simulators, but rather to get Valve and the general public’s attention.
“I’ve been happy with people’s reaction to it,” Nealon said. “People are pissed off about it, and I wanted them to talk about it. I wanted people to realise that this is one of the internet’s biggest websites, and this is the back end. A fucking 16 year-old did it in two nights.”
Yes, 16. Nealon told me that he’s not a game developer, but rather a 16-year-old university student (he took Open University courses to qualify as a graduated high school student at age 14) and Information Security hobbyist. He said he’s been cracking systems and helping companies fix vulnerabilities since he was 11.
“I always do it for fun, but there are people out there who make a full living doing bug bounties,” he explained. “Even Microsoft — they’re a shitty company, and I don’t like them — but while they didn’t offer me a bounty, they did offer me an acknowledgement. It was December 2012. That was the first thing I ever got. That was when I was 11. I’ve been doing this for quite a long time.”
Nealon estimates that he’s aided with 75-100 security vulnerabilities in total, but only about five or ten have been of the magnitude of his big hits with companies like Microsoft, Corsair (another which he publicly explained) and now Valve. Some companies, he said, have ignored or disavowed him, because, he figures, vulnerabilities make them look bad. One company got his YouTube channel banned after he used it to show them a potential vulnerability in their system. Larger companies, though, tend to pay and credit infosec types. Oddly, however, Nealon told me that Valve did not pay him or offer an acknowledgement, despite the gaping hole he pointed out.
“Not only did they not offer a bug bounty like Google would,” he said, “but they’re not willing to put me on their security acknowledgements page, because apparently that’s only for people who consistently submit bugs at them. I don’t want to sound like I’m bitching for free shit, but if this was Google or something with a similar majority of vulnerability here, Google would pay out. But Valve haven’t offered me anything. I’m not pissed off, but I’m a little bit disappointed, given that it’s a company of Valve’s size.”
There is a practical concern, though. If Valve doesn’t offer bug bounties, it’s unlikely that infosec mercenaries will ever declare open season on potentially catastrophic vulnerabilities like the one Nealon found. He explained in an email he sent to Gabe Newell (that he passed along to me):
“I’m only 16, I started University early when I was 14 and live with my parents. My family isn’t well off, but I get a grant that lets me keep myself financially stable. However, there are people out there who make their living purely off bug bounties. It’s not a stable source of income granted, but you should be able to make a living out of doing it. By not offering a bug bounty, you’re missing out on hundreds of things that could go unnoticed and could even be being exploited right now by the wrong people, just because researchers don’t want to take the time because they can’t afford to spend their time on work that won’t pay.”
I did reach out to Valve to verify that all of this is real and accurate, and they were at least thankful. “Working with Ruby we resolved the issue,” a Valve rep told me. “And we’ll thank him again here for the tip.” Valve let Nealon keep his Steam publishing account so he can hunt around for more bugs. He told me he’s already found another two major issues, which he plans to publish a post about as soon as Valve has closed them up.
Overall, though, it sounds like this has been another Very Valve Incident. All the way back in February, Nealon couldn’t get a response at all, so he had to plan an outsized prank to make Valve pay attention. Even after all that, Valve’s operating in both Valve Time and Valve Space. I suppose, ultimately, it’s worked out for the greater good, though Nealon told me he considered taking it even further.
“I was really tempted as well to call it something like Half-Life 3,” he said. “But I knew they were gonna be pissed off about this. Calling it Half-Life 3 or something, that’s me liable to be sued. I’m only 16, so I’m not sure whether I would be sued. Still, it was very tempting to do that, but I’m glad I kept it as is.”
“Posting the lyrics to Space Jam on an official Steam game page is a marvellous achievement.”
Comments
25 responses to “16-Year-Old Hacker Sneaks Game Onto Steam Without Valve’s Approval”
Nobody will remember you next week, champ.
No one remembers you now, chump.
Remembers who? I forgot who you were talking about.
As long as you haven’t forgotten about Dre, chimp.
Me: Hmm, what was I doing when I was 16?
*reflects back on the pointless void of my youth*
Me: Oh, right….
I was busy dating girls and playing Ragnarok Online and Maple Story. No Ragrets.
It was either furious masturbation or playing video games
That too, couldn’t get laid so furious masturbation all the way.
Amateur. It had to be one or the other? Why not at the same time?! 😛
It’s all about moderation.
Plus I’m a man, I’m apparently terrible at multitasking, so I’d end up losing an eye or something.
EDIT: or something ELSE’S eye *nods head wisely*
I was (am?) a complete nerd so dating was out of the question. So yeah, mostly masturbating like Jiggle.
Valve’s reputation has been marred a bit recently, mostly to do with the fact they don’t seem to value interaction with their customers anymore. Just like the Christmas atrocity, there was pretty much zero communication until it was well over. Valve should look towards replacing whoever they put in charge of actually representing the Steam Service.
Now, now… What other company allows its customers to interact with each other’s personal information during the most festive of all holidays?
If anything they took their love of customer interaction to a whole new level 😉
Anymore or ever?
The sad thing is, when I saw this game appear on the New Releases page I didn’t even bat an eyelid because it’s the kind of thing I expect to see appear every so often.
Reminiscent of when someone exploited the heartbleed vulnerability on steam group pages in order to get Valve to address said vulnerability.
http://www.kotaku.com.au/2014/04/south-park-gets-name-change-following-internet-security-flaw/
He’s obviously got the initiative and skill to bypass security measures; regardless of how much of a petulant, irksome little bastard he sounds, vulnerabilities are vulnerabilities.
HAH. I was amused by the trailer when I saw it pop up.
I am a little reassure that it was just a stunt, though.
He sounds like he is whining a bit about how he’s not getting paid for finding these vulnerabilities.
Hot tip: hacking someone’s services and parading that publicly on the Internet for anyone to see is not how you get paid for vulnerabilities. It’s how you get sued.
He’s only 16, but if he’s got the smarts to do this, he should have the smarts to work out the right and wrong way to earn bug bounties.
I think he’s more frustrated that they didn’t seem to care about it at all. They just ignored him, and the vulnerability, until he did this.
Err he did it the right way. He emailed Valve multiple times with the information and they flat out ignored him. So like most people who get ignored when trying to help he went ahead and showed them in real time.
Also, submitting bugs, being ignored, then showing the bugs publicly is exactly how you get paid for identifying vulnerabilities. Microsoft has been in the shit before (Server 2008 bugs iirc) for ignoring zero day bugs that have been reported by infosec hobbyists and ended up changing how they do business with them.
I do agree he does sound likes he is whining though… who says they arent whining if they arent actually whining. :s
Sort of did it the right way, anyway.
Something that tends to happen a lot with bug-finding is that everyone who finds a bug tends to think that the bug they found is important.
But the folks who have to fix them, usually have to fix a lot of bugs, and they can’t just fix each one immediately when they see it. They do triage – they have a list, based on priorities. The most important question is always: “How likely is someone to find this, and how great will the impact be?”
It’s kind of unethical to decide that – for the sake of your ego – that this question shouldn’t be asked, or if it is asked, not liking the answer that says, “Kinda unlikely, and not too bad.”
It seems like several layers of security had to fail for this to go through. The answer to the question is very likely to have been that it wasn’t a huge risk… until the petulant hacker decided to make it one by publicizing it.
System integrity and security doesn’t take place in a vacuum. Public awareness of holes in security is an actual security factor, and by exploiting it, he actually worsened security instead of improving it. He decided, unilaterally, that the flaw he found was more important to fix than anything else Valve might’ve been working on, and forced the decision to fix it by artificially making it urgent.
That’s unethical.
There is a reason why steam/valve has a very bad reputation with customer service! This guy should have known that before hand. They simply ignore everyone until you open a PAYPAL case against them or something extreme like that.
Is there a VR version of this game?
Reading between the lines, he makes it sound like he wants to get paid for finding it. But a social engineering / basic spoofing exploit is certainly on the “simple” end of coding/security knoeledge. Hence why a child found it, and hence why valve aren’t treating it the same as an exploit granting admin access or a list of usernames and passwords.
A thank you email is justifiable, and i think valve gave him one. Wanting some public acknowledgement on steam website is just petty vanity.