Teenager Successfully Hacks Steam To Expose A Pressing Issue

share to other networks share to twitter share to facebook

A teenager recently hacked Steam and released a "prank" video game on watching paint dry. The hack of the 16-year-old, who intentionally wanted to get caught, eventually caused fans to question whether the platform's security measures are secure enough.

Gifted teenager Ruby Nealon wanted to prove Steam's lack of security by publicizing the details of his exploits in a blog post on Medium (h/t Game Rant).

Some of the important details on Nealon's post are as follows:

> Nealon said he was able to access the Steamworks Developer Program, which is the "backbone for game achievements, DRM, multiplayer, etc."
> He made a "basic joke set" of trading cards.
> Nealon placed a bad request to convince servers to view his submission as "a genuine request from a developer whose trading cards were approved."
> Status of the trading card was set to "released" by the system.
> Nealon further played around with Steamworks' website code, which he says was "readable by anyone." The teenager was able to place an actual game on the Steam store, with the game being Watch paint dry,which requires players to watch a wall of paint dry for 45 seconds.

Image Credit: Medium

Steam has access to a ton of sensitive data and profit due to the platform's over 125 million active users and about 75% of all PC gaming sales.

Nealon knows this and he performed the hack on Steam wanting to test a concern that he has reportedly been trying to tell Valve for "the past few months." Valve never took a "look at it" and the vulnerability has stayed live during those months.

Fortunately, Nealon's hack has caused Valve to take action and fix the concern, but some Steam users are still seriously concerned about the platform's security.

Last year in December, Steam had been part of a massive DoS attack that resulted to the platform being taken offline. The attack wasn't focused on just Steam, but if Nealon's hack shows anything, it shows how Steam's online security still remains insufficient.

Since Nealon's exploit, Valve has allowed the teenager to keep his Steamworks account to catch more bugs. Two more has been found by Nealon, who claims Steam hasn't provided him with any "bug bounty" for helping discover the bugs. This puts in question whether other gifted bug busters would be willing to do the work for Steam, which recently changed pricing on its bundle and re-introduced a paid-for-user-created content.