Steam Hacker Publishes Fake Game to Highlight Valve's Security Holes

By Gary Cutlack on at

A chap has managed to self-publish a comedy title via Valve's Greenlight section of its Steam service without paying or having the game reviewed, by exploiting security holes he said he'd been telling Valve about for months -- but it didn't listen. So he hacked a thing up there to gain its attention.

The guy who put together the hack has also assembled a full explainer on how he opened up Valve's systems, saying that his starting point was a valid Steamworks developer account -- although he wouldn't say how he came into possession of such a thing. The next step was to create some trading cards and fiddle around with the submission page's HTML code, critically changing the editor account ID number to a value that may well belong to someone within Valve.

That worked, so he self-approved the trading cards and used this valid session ID to trick the Steam store into letting him validate his own full game. And up it popped. Manchester student Ruby Nealon said it wasn't supposed to instantly hit distribution, as his game -- Watch Paint Dry -- was only intended as a beacon to signal the exploit's existence to Valve.

"I will admit that it appearing straight away in the new releases section was an oversight on my part, explained Ruby on Medium. "I initially wanted it to have 'Coming April 1st' and not show up until Friday (though I wouldn’t have expected it to last that long)," but... a hack's a hack.

Valve's fixed the problem now, seeing as it was brought to their attention in such a public manner. [Ruby via The Register]

Want more updates from Gizmodo UK? Make sure to check out our @GizmodoUK Twitter feed, and our Facebook page.