Sat. Jan 28th, 2023
How a hacker smuggled a game onto Steam without Valve's knowledge

If you watched Steam this weekend, you may have been one of those who noticed a strange game called “Watch paint dry” on the popular digital storefront. The “sports puzzle game that evolves around one mysterious cutscene” wasn’t a new low point in Steam’s increasingly permissive stance on allowing games onto the service. Instead, it was the result of a now-patched exploit that allowed developers to sneak games onto Steam without Valve’s permission.

A teenage British web developer, Ruby, outlined the hacking process in a post to Medium earlier this week. However, even before it was fixed, this exploit was not available to random internet users as it depended on access to the Steamworks Developer Program.

With that access secured (via unannounced means), Ruby dove into the HTML for the Steamworks backend to look for weaknesses. By forcing an “editor ID” variable passed by the page to “1” (which Ruby assumed would be “someone who might work at Valve”), Ruby accessed a new form that contains the form data revealed that he needed to get an “approved” value for Steam trading cards, a first step in making his game look legit.

From there, it was relatively easy to bypass the usual review queue that Valve uses to approve potential Steam games. By passing his browser’s now-fake-authentic sessionID variable to SteamWorks’ well-documented “ReleaseGame” function, Ruby got the service to accept “Watch paint dry” without the knowledge or approval of anyone at Valve. The security lesson, as Ruby puts it succinctly: “Choose an approach where asset review has an audit trail by giving each piece of content a ‘review ticket’ or something similar and only allowing the content to go to the Released state. there is a rating ticket for the content. Or just don’t allow users to set the item to ‘Released’.”

While the vulnerability has now been fixed, this is far from the first time Steam has been found vulnerable to attacks and data leaks from similar exploits. In 2013, Ars discovered a simple method to disclose personal information about Steam accounts set to “private”, leading Valve to close the vulnerability. Previously, ReVuln security researchers have described an attack that allowed hackers to place potentially malicious code on a PC via Steam’s browser protocol. More recently, Steam has seen account takeover exploits and DDoS caching issues revealing personal user pages to strangers.

By akfire1

Leave a Reply

Your email address will not be published.