Update: Watching Paint Dry will be released for free on April 1st after all.
A white-hat hacker and sometime developer has snuck through Steamworks to get a fake game, Watching Paint Dry, onto Steam, and not even by way of the sometimes low standards of Greenlight. Telling the story on Medium, he walks us through the process. While apparently inspecting Steam software for security vulnerabilities, information security researcher Ruby had located a way to exploit certain pats of Valve’s code to get a product into the store, without ever being reviewed by an employee at any level.
Although Ruby tried to inform Valve of it’s vulnerability for months, it seemed no action was being taken to address it. Thus, the demonstration. Using a Steamworks Developer account, Watching Paint Dry was submitted and “accepted” with no oversight whatsoever, by way of several clever workarounds for the usual process. Both the Steamworks access exploit and the submission process security holes have now been corrected, so anyone looking to get onto Steam should probably remain invested in game design rather than the minutia of Valve’s code.
The submission in question even included Steam trading cards and rewards, you know, those emoticons and images that people pay real money to trade around? Without any sort of oversight, some alterations to certain forms allowed the elements to be accepted as regular Steam items. So any picture you want could’ve essentially been on a trading card or emoticon. Just picture the possibilities or, rather, try not to.
So what happened here? To sum it up, when I put in the bad request, it returned a full list of options with their values. In this case, I saw that “Released” was value 5. Refreshing the form to get my “editor_accountid” back and changing the value of the select box for “Ready for Review” to 5 from 3 and saving it got to the server as what might be a genuine request from a developer whose trading cards were approved. The server did not check if someone from Valve had already approved this, and just set the status as released.
After “completing” the card review process, he went on to get the game submitted through a similar process, editing more values and finding that the game was already released to the front page. It happened a bit early for the planned April Fool’s prank, but caught enough attention for the vulnerabilities to be patched.
Ruby was exceptionally responsible in making Valve aware of the threat, and only demonstrated the issue after no action was take to rectify it at first, and even now only displays information about the bug and his methods which can’t be used to compromise the software any further. The fake game was never actually available for purchase, though on Twitter people have been asking to play it anyhow. Unfortunately, no release is forthcoming. If anyone else was planning on a similar joke for the first of the month, they’ll have to think of a new approach.
The only question we can ask now is, did any games actually get released like this?