News

Hacker Who Created Fake Game Listing On Steam Says More Vulnerabilities Will Be Found

Earlier this week Ruby Nealon became famous on the internet for managing to get a game onto Valve’s steam store without anyone at Valve even knowing about it. The Watch paint dry game raised concerns about the system Valve has in place when it comes to Steams content, with him saying that more vulnerabilities will be found on the platform.

Nealon states that it was an HTML-based attack that let him post the game without anyone at Valve approving or even seeing the game before it went live. With this exploit noted and fixed, Nealon went on to point out a way of inserting scripts into pages, potentially taking details from a Valve administrator who wanted to check out their games page. This second exploit was then fixed, although Nealon doesn’t seem too impressed with Steam’s website.

In discussions with ArsTechnica, Nealon told them that “it looks like their website hasn’t been updated for years” and even went on to say that “Compared to even other smaller Web startups, they’re really lacking. This stuff was like the lowest of the lowest hanging fruit.”.

Nealon wasn’t just upset with the website, though, saying that he won’t be hacking Steam’s platform anymore due to a lack of recognition from Valve on the matter. Nealon wrote on his site saying that the exploit he used for posting the “watching paint dry” game he had tried to contact Valve for months about, but it was only fixed when he publicly demonstrated its viability.

Nealon isn’t happy with Valve’s lack of a bug bounty system, a program where users are rewarded for alerting the company about bugs and issues in their software, something that even apps like Uber have started in recent weeks. In his “won’t be finding bugs anymore for Valve because there are plenty of companies that appreciate the time and effort put in by security researchers” and even went on to explain how the entire process had made him feel like “Valve were exploiting me”.

Steam isn’t a service that’s immune to hacks either, last year it was hacked and allowed people to bypass the two-factor authentication required to log into an account from a new machine. They’ve even accidentally exposed users details before, no external help required for that blunder.

Personally, I feel like anyone who puts time and effort into finding a problem and then revealing it to a company should be rewarded, not brushed under a matt and ignored until it becomes an issue the public are aware of.

Gareth Andrews

Disqus Comments Loading...

Recent Posts

ASUS VY249HF Eye Care Gaming Monitor

Value for money Good product with good quality Durable Was £129.00 Now £95.00 Keep up…

11 hours ago

ASUS TUF GAMING B650M-E WIFI 

Engineered with military-grade components, an upgraded power solution and a comprehensive cooling system, this motherboard…

11 hours ago

Mercusys AC1200 Wi-Fi Bluetooth 5.0 PCIe Adapter 

Strong Dual Band Wi-Fi Speed — Speeds up to 867 Mbps (5 GHz) + 300…

11 hours ago

EPOMAKER RT100 97 Keys Gasket BT5.0/2.4G/USB-C Mechanical Gaming Keyboard

【Exclusive Detachable Smart TFT-LCD Display】Are you an experienced keyboard hobbyist wishing for a fully functional…

11 hours ago

AOC AGON 40 Inch AG405UXC Gaming Monitor

40 inch Gaming Monitor FreeSync G Sync Model number: AOC AG405UXC Colour: black red Was…

11 hours ago

KOORUI 60% Mechanical Gaming Keyboard

69 Keys with Gorgeous Backlighting. The 60% gaming keyboard can save desk space. The detachable…

11 hours ago