Watch Paint Dry is a 45-second-long game about watching paint dry. It was made by a 16 year-old guy who’s not even a game developer. Despite not going through Greenlight or otherwise getting Valve’s holy lambda of approval, it got onto the Steam store.
This might sound like the beginning of a horror story — an odious new era of shit bubbling up onto Steam — but it has a happy ending. The game was both a prank and a test of a massive vulnerability in Steam, a last-ditch effort to get Valve’s attention after they failed to respond to multiple separate emails. Its creator, Ruby Nealon, chronicled the whole thing in a Medium post. In short, he managed to obtain a Steamworks (tools that let developers prep their games for Steam, basically) account in February through, as he puts it, “social engineering”, and he started poking around in its innards.
To get Watch Paint Dry onto Steam, Nealon found that he’d have to get through a three-step approval process: first, his store page (with required features like trading cards) would have to be approved, then he’d have to submit a final build of his game and then he’d get the option to launch. It didn’t take Nealon long to realise that he could spoof the service into believing his game’s hastily slapped together trading cards had already gotten a once-over from a Valve editor. He then found that he could look at the source underlying trading cards, put in a request for information that didn’t exist, and receive a list of options that would actually yield functional results. With that information and approval from a non-existent Valve editor, his game was “ready” for Steam.
After that, it was simply a matter of digging through code for the command to release a game, then inputting his game’s app ID and the session ID he got from the trading cards. That was all it took: Watch Paint Dry appeared in Steam’s “new releases” section, albeit sooner than planned (Nealon originally planned to “release” the game on April 1). It took some tinkering, and Nealon had to know what he was looking for, but it was, in the grand scheme of things, not a particularly difficult process.
When people first saw the game on Steam, they were pissed. Speaking during an interview earlier today, Nealon said, “I saw people begging me, ‘How can I get this game?’ and things like, ‘You’re the reason the gaming industry’s gone to shit, you fucking scumbag scamming developer!'” Nealon told me he was always planning to go public with how he did it. His plan was not to get a shitty game onto Steam and rake in ill-gotten bucks that could’ve been claimed by other, more legitimate paint-drying simulators, but rather to get Valve and the general public’s attention.
“I’ve been happy with people’s reaction to it,” Nealon said. “People are pissed off about it, and I wanted them to talk about it. I wanted people to realise that this is one of the internet’s biggest websites, and this is the back end. A fucking 16 year-old did it in two nights.”
Yes, 16. Nealon told me that he’s not a game developer, but rather a 16-year-old university student (he took Open University courses to qualify as a graduated high school student at age 14) and Information Security hobbyist. He said he’s been cracking systems and helping companies fix vulnerabilities since he was 11.
“I always do it for fun, but there are people out there who make a full living doing bug bounties,” he explained. “Even Microsoft — they’re a shitty company, and I don’t like them — but while they didn’t offer me a bounty, they did offer me an acknowledgement. It was December 2012. That was the first thing I ever got. That was when I was 11. I’ve been doing this for quite a long time.”
Nealon estimates that he’s aided with 75-100 security vulnerabilities in total, but only about five or ten have been of the magnitude of his big hits with companies like Microsoft, Corsair (another which he publicly explained) and now Valve. Some companies, he said, have ignored or disavowed him, because, he figures, vulnerabilities make them look bad. One company got his YouTube channel banned after he used it to show them a potential vulnerability in their system. Larger companies, though, tend to pay and credit infosec types. Oddly, however, Nealon told me that Valve did not pay him or offer an acknowledgement, despite the gaping hole he pointed out.
“Not only did they not offer a bug bounty like Google would,” he said, “but they’re not willing to put me on their security acknowledgements page, because apparently that’s only for people who consistently submit bugs at them. I don’t want to sound like I’m bitching for free shit, but if this was Google or something with a similar majority of vulnerability here, Google would pay out. But Valve haven’t offered me anything. I’m not pissed off, but I’m a little bit disappointed, given that it’s a company of Valve’s size.”
There is a practical concern, though. If Valve doesn’t offer bug bounties, it’s unlikely that infosec mercenaries will ever declare open season on potentially catastrophic vulnerabilities like the one Nealon found. He explained in an email he sent to Gabe Newell (that he passed along to me):
“I’m only 16, I started University early when I was 14 and live with my parents. My family isn’t well off, but I get a grant that lets me keep myself financially stable. However, there are people out there who make their living purely off bug bounties. It’s not a stable source of income granted, but you should be able to make a living out of doing it. By not offering a bug bounty, you’re missing out on hundreds of things that could go unnoticed and could even be being exploited right now by the wrong people, just because researchers don’t want to take the time because they can’t afford to spend their time on work that won’t pay.”
I did reach out to Valve to verify that all of this is real and accurate, and they were at least thankful. “Working with Ruby we resolved the issue,” a Valve rep told me. “And we’ll thank him again here for the tip.” Valve let Nealon keep his Steam publishing account so he can hunt around for more bugs. He told me he’s already found another two major issues, which he plans to publish a post about as soon as Valve has closed them up.
Overall, though, it sounds like this has been another Very Valve Incident. All the way back in February, Nealon couldn’t get a response at all, so he had to plan an outsized prank to make Valve pay attention. Even after all that, Valve’s operating in both Valve Time and Valve Space. I suppose, ultimately, it’s worked out for the greater good, though Nealon told me he considered taking it even further.
“I was really tempted as well to call it something like Half-Life 3,” he said. “But I knew they were gonna be pissed off about this. Calling it Half-Life 3 or something, that’s me liable to be sued. I’m only 16, so I’m not sure whether I would be sued. Still, it was very tempting to do that, but I’m glad I kept it as is.”
“Posting the lyrics to Space Jam on an official Steam game page is a marvellous achievement.”