
How I got a game on Steam without anyone from Valve ever looking at it - pierre-renaux
https://medium.com/swlh/watch-paint-dry-how-i-got-a-game-on-the-steam-store-without-anyone-from-valve-ever-looking-at-it-2e476858c753
======
pfooti
This is a pretty cool exploit, and of course reinforces one of the most
important rules of writing software. Don't trust users.

The center of what this kid pulled off to get his game on the front page with
no Valve oversight basically amounted to fiddling around with an HTML form
data and feeding the back end illegal state information.

The fact that the back end's business logic layer didn't verify and authorize
the request is _hugely_ troubling from a big service like steam. What other
dragons are lurking in there to exploit? Could I take ownership of someone
else's game on the store? Get myself some free games by generating reviewer
steam keys? All sorts of interesting activity is possible.

~~~
criley2
>"The fact that the back end's business logic layer didn't verify and
authorize the request is hugely troubling from a big service like steam. What
other dragons are lurking in there to exploit? Could I take ownership of
someone else's game on the store? Get myself some free games by generating
reviewer steam keys? All sorts of interesting activity is possible."

This feels to me like saying "I can just walk into a big box store, take
something off the shelf and walk out".

Yes, you can. And people do. And yet, outside of extreme circumstances there
isn't much these stores do to stop you. Loss prevention is a leaky sieve and
can cost more than the loss did.

Heck just steal the steam key from a boxed set in a store. The key itself
doesn't have protection. Take a picture of it. Whatever.

Stealing isn't hard, but still we don't do too much of it...

~~~
marshray
> "I can just walk into a big box store, take something off the shelf and walk
> out"

Data security is where our intuition formed from real-world experience falls
down.

Physical theft in a store is bounded by many factors, not the least of which
is someone actually has to carry out the goods without being intercepted.
Stores deploy additional security mechanisms to alert on high-value
merchandise that is small enough to easily conceal. So stores' losses are
bounded by the impracticality of "scaling up" the theft attack.

But digital systems are absurdly brittle. Most systems lack defense in depth
and computers are just as good at scaling up the attacker's transactions as
the legitimate ones. So once the attacker invalidates even the smallest-
seeming assumption made by the developers it tends to lead to complete
compromise of the system.

So when you hear "random web developer made the common mistake of relying on
client side validation" it's kinda like finding a leak in your submarine's
hull.

~~~
criley2
>"Data security is where our intuition formed from real-world experience falls
down.

Very sad to see the closed-mindedness in this thread where users reject a very
valid and apt comparison because it does not meet their preconceived notion of
these models.

Ironically the only factor that "knocks down" our intuition is you, when you
reject points without considering them. You knocked down my valid point not
fairly, but unfairly, waiving it away without consideration.

>"Physical theft in a store is bounded by many factors, not the least of which
is someone actually has to carry out the goods without being intercepted.
Stores deploy additional security mechanisms to alert on high-value
merchandise that is small enough to easily conceal. So stores' losses are
bounded by the impracticality of "scaling up" the theft attack."

Very very sad that you cannot see the obvious and basic similarities.

Do you believe it is as simple to steal 1TB of data as it is 1MB? --- So you
agree there are obvious "bounds" to digital that mirror real world?

How about content type? Do you think it's easier to steal data replicated on
their general purpose CDN than say account data hosted internally at one of
their data centers?

Do you believe that online services don't deploy additional security
mechanisms on high-value data?

Do you not realize that digital data losses are bounded by the impracticality
of stealing large amounts of data, too?

I hope that users reading this thread will read + think more than they reject
+ talk because it's very depressing seeing this response here.

~~~
marshray
The recent 'Panama Papers' leak shows that it is indeed practical to steal 2.6
TB of data.

~~~
criley2
And the fact that warehouses are robbed, eighteen wheelers are robbed, trains
are robbed, etc shows that it is indeed practical to steal literal tons of
goods.

Practical and common, however, are not the same...

(I'll also point out that in my comment I said: is it the same difficulty to
steal 1TB as 1MB? I never said it was impossible, just drawing a distinction).

~~~
marshray
"Sony Hackers Have Over 100 Terabytes Of Documents."
[https://en.wikipedia.org/wiki/Data_breach#cite_ref-17](https://en.wikipedia.org/wiki/Data_breach#cite_ref-17)

~~~
criley2
"Man steals $280,000 by cutting hole in roof of bank"

[http://www.nytimes.com/2016/04/12/nyregion/thieves-
take-2800...](http://www.nytimes.com/2016/04/12/nyregion/thieves-
take-280000-from-brooklyn-bank-after-carving-hole-in-roof.html)

We can point to outliers that I admitted exist in my original statement all
day long.

Even more fun: my example is temporally relevant :)

------
lazaroclapp
Wait. So... making executable code available to hundreds of millions of users
on a storefront they trust just takes sending a forged HTTP request?

No cryptographic signing process? No automated software analysis and
sandboxing? What the hell was Valve thinking? Watching paint dry is pretty
much the best case outcome for something like this. It could well have been
Mass Effect 3 on Steam for $5, yet the actual code being ransomware...

------
Kristine1975
Moral of the story: If someone tells you about vulnerabilities in your web
software, don't ignore them.

------
Lapsa
there's no human interaction on support either:
[http://pastebin.com/raw/KNLeB6Aq](http://pastebin.com/raw/KNLeB6Aq)

------
ttctciyf
_Watch paint dry_ is also a real game, so to speak; see
[https://m.youtube.com/watch?v=ObckU6cpDJ4](https://m.youtube.com/watch?v=ObckU6cpDJ4)
(2013) for example

------
ben_jones
I thought Steam was a well-funded and well-engineered organization. Am I
wrong?

~~~
johansch
Valve seems to be in insanely well-funded and chaotically managed
organization.

------
shmerl
At least GOG have proper QA.

~~~
PhasmaFelis
Steam has proper QA. What they didn't have was proper web security.

~~~
shmerl
I wouldn't call it proper QA, when they release something like Batman: Arkham
Knight which was horribly buggy. GOG wouldn't have accepted such version.

------
ikeboy
This has been posted 18 times so far, yet never hit the front page until now.
Max points before was 4.

Is this a record for number of reposts before an eventual front page one?

~~~
coredog64
Maybe he found a hack to get his story onto the front page and will document
it in part 2.

~~~
ikeboy
Hackception?

------
dang
We merged a comment into here from one of the gazillion previous posts of this
thread; if anyone knows of any other good comments we can do the same for
them.

~~~
ikeboy
Bug report, sort of: in search, this submission says "2 days ago".

[https://hn.algolia.com/?query=How%20I%20got%20a%20game%20on%...](https://hn.algolia.com/?query=How%20I%20got%20a%20game%20on%20Steam%20without%20anyone%20from%20Valve%20ever%20looking%20at%20it&sort=byDate&dateRange=all&type=story&storyText=false&prefix&page=0)

[https://archive.is/ZJG4x](https://archive.is/ZJG4x)

Not sure what could cause an older timestamp. Was this somehow flagged and
readded or something?

~~~
tristanj
It's because of HN's weird duplicate link policy. The way I understand it,
When someone resubmits a link, and the second resubmission gets more traction
than the original, then the comments/points of the resubmission are
transferred to the original submission and the original submission's
"timestamp" is set to the resubmission's timestamp. The modified timestamp is
used in rank calculations (post rank decays based on age, so a newer timestamp
means a lower decay penalty). The HN search site shows the true timestamp,
which is why on this story you see a mismatch.

Another way to see this is by the looking at the post ID. The post before this
one is 11445139
[https://news.ycombinator.com/item?id=11445139](https://news.ycombinator.com/item?id=11445139)
(posted 1 day ago), the post after this one is 11445141
[https://news.ycombinator.com/item?id=11445141](https://news.ycombinator.com/item?id=11445141)
(posted 1 day ago), but this post is 11445140 (posted 4 hours ago). By
deduction, the original post was submitted 1 day ago sometime in-between the
other two.

Basically the system gives credit to the original submission vs the
resubmission. It does look like a bug, and I think it is quite confusing, IMO
there should be a FAQ somewhere explaining how duplicates work.

------
tzakrajs
[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

~~~
tzakrajs
I don't see why I am being down-voted. This person is admitting to an illegal
act. Valve does not have a bug bounty program which means this person had no
justification to do this legally.

