News

Hacker Who Created Fake Game Listing On Steam Says More Vulnerabilities Will Be Found

Earlier this week Ruby Nealon became famous on the internet for managing to get a game onto Valve’s steam store without anyone at Valve even knowing about it. The Watch paint dry game raised concerns about the system Valve has in place when it comes to Steams content, with him saying that more vulnerabilities will be found on the platform.

Nealon states that it was an HTML-based attack that let him post the game without anyone at Valve approving or even seeing the game before it went live. With this exploit noted and fixed, Nealon went on to point out a way of inserting scripts into pages, potentially taking details from a Valve administrator who wanted to check out their games page. This second exploit was then fixed, although Nealon doesn’t seem too impressed with Steam’s website.

In discussions with ArsTechnica, Nealon told them that “it looks like their website hasn’t been updated for years” and even went on to say that “Compared to even other smaller Web startups, they’re really lacking. This stuff was like the lowest of the lowest hanging fruit.”.

Nealon wasn’t just upset with the website, though, saying that he won’t be hacking Steam’s platform anymore due to a lack of recognition from Valve on the matter. Nealon wrote on his site saying that the exploit he used for posting the “watching paint dry” game he had tried to contact Valve for months about, but it was only fixed when he publicly demonstrated its viability.

Nealon isn’t happy with Valve’s lack of a bug bounty system, a program where users are rewarded for alerting the company about bugs and issues in their software, something that even apps like Uber have started in recent weeks. In his “won’t be finding bugs anymore for Valve because there are plenty of companies that appreciate the time and effort put in by security researchers” and even went on to explain how the entire process had made him feel like “Valve were exploiting me”.

Steam isn’t a service that’s immune to hacks either, last year it was hacked and allowed people to bypass the two-factor authentication required to log into an account from a new machine. They’ve even accidentally exposed users details before, no external help required for that blunder.

Personally, I feel like anyone who puts time and effort into finding a problem and then revealing it to a company should be rewarded, not brushed under a matt and ignored until it becomes an issue the public are aware of.

Gareth Andrews

Disqus Comments Loading...

Recent Posts

No Man’s Sky Orbital Update Trailer Released

Hello Games continues its road to redemption with No Man's Sky, however, I'd say we're…

16 mins ago

Cooler Master Reveals TD500 MAX ATX Case

Cooler Master, one of the biggest names for PC cases and PC cooling has today…

46 mins ago

Ranch Simulator Hits 1 Million Copies Sold

Ranch Simulator, a game which I hadn't heard of until today, has just reached a…

18 hours ago

MSI MAG A750GL PCIe 5.0 ATX 3.0 Power Supply Review

MSI has a great range of PSUs to their name these days, and while we've…

18 hours ago

Larian CEO Wants to Make Two New Games After Baldur’s Gate 3

After the massive smash hit that was Baldur Gate 3 developers at Larian have announced…

19 hours ago

JLab Reveals Studio Pro ANC Wireless Over-ear Headphones

JLab have today announced the availability of their Studio Pro ANC Wireless over-ear headphones in…

20 hours ago