Vulnerability allowed unauthorized game publishing on Steam
A vulnerability in the code of Steamworks made it possible to release a game on Steam without Valve being aware of it. For example, security researcher Ruby Nealon managed to briefly publish his ‘game’ Watch Paint Dry.
To make use of the vulnerability, Ruby only needed a Steamworks account. Steamworks is Valve’s proprietary game publishing platform and provides options such as multiplayer for developers. With the account, he was then able to release his homemade “game” on Steam, without Valve having seen, let alone checked, the game.
This was possible because it was possible to modify the source code during the game submission process. Publishing the trading cards for the game was also possible in this way without the intervention of Valve. When a developer submits the cards, Valve normally reviews them first to make sure they comply with the rules. When submitting the cards, the developer can indicate the status of the cards. The options for this are: Not ready, ready for checking, and not ready for customization.
The code behind the card check page showed Ruby that Valve is tracking the developer’s session and ID number. By changing the ID number to a number of someone who probably works at Valve, for example number 1, and changing the value of the selected option to a non-existent number, Ruby was presented with a different screen. Steamworks featured a Valve employee as the most recent editor of the maps. Also, the option for ‘issued’ appeared in the release status for the cards. By implementing the value of that status, the cards were suddenly approved.
For the release of the game itself, the Watch Paint Dry developer went one step further. According to him, the Steamworks website mainly consists of Ajax, or Asynchronous JavaScript And XML. All code for the JavaScript functions was visible to Steamworks members. In the code he found the function “ReleaseGame(appid, data)”. By calling the function with his app ID and his session ID, the game was published on the Steam platform without control or intervention.
Ruby says he’s been trying to notify Valve about the vulnerabilities in the code for a few months now. When Valve didn’t do anything with it, he wanted to make it an April 1 joke by setting the release date on April 1. His plan was for Watch Paint Dry to hit the Steam store that day, but the game was revealed earlier. After the ‘game’ appeared on Steam, Valve quickly took it offline and fixed the vulnerabilities in the codes, Ruby says. Valve itself has not released a statement about this.