Steam security loophole exposed by Watch Paint Dry

Watch Paint Dry is “a sports-puzzle game that evolves around one mysterious cutscene. Bringing in innovative gameplay and requiring high attention to detail, Watch Paint Dry is a must play for anyone who enjoys mystery ARG type games.” Or perhaps I should say, it was: It appeared on Steam over the weekend, but only briefly—because it wasn't supposed to be there at all.

If you think it sounds like a gag, there's good reason: That's precisely what it was. The whole thing was cooked up by UK-based security researcher Ruby Nealon, who was inspired to pull the prank after efforts to report a loophole that allowed games to be put on Steam without Valve approving them went ignored.

The process for getting the “game” on Steam, which he posted on Medium, is fairly complicated, but also obviously not nearly as complicated as it should be. The big dependency is having access to Steamworks, Valve's internal publishing platform.

“The Steamworks website is majorly AJAX. All the code for the Javascript functions that powers the source is not obfuscated and readable by anyone (authenticated into Steamworks at least),” he explained. “There’s some interesting code, but as this game was a proof-of-concept, I stuck to what was relevant and found an interesting javascript function called 'ReleaseGame(appid, data)'. This seemed to make a typical AJAX request (though there wasn’t any authentication in it) to Steam and seems to, as it says, release the app.”

Using the ID number assigned to his app didn't work, but tying it into “sessionid” he dug up while getting the Steam trading cards approved (a process he explains earlier in the post) made the magic happen.

“I will admit that it appearing straight away in the new releases section was an oversight on my part. I initially wanted it to have 'Coming April 1^st' and not show up until Friday (though I wouldn’t have expected it to last that long),” he wrote. “I will also admit I was very tempted to try and see how far along releasing it I could get, but I think it’s for the best that the app is not listed for sale.”

Nealon has since been in contact with Valve, and the loophole has been closed, which is presumably why he felt safe making the process public. He said his escapade has taught him a few things about working with user-generated content (foremost among them presumably being, “don't allow users to set the item to 'Released'”), and he apparently suffered no consequences for it. That's a happier outcome than the one that met Euro Truck Simulator 2 developer Tomas Duda when he exposed a different Steam vulnerability with an amusing prank of his own a couple of years ago: He ended up with a one-year ban from Steam for his troubles, although it was fairly quickly overturned once the word got out.

Watch Paint Dry is no longer available on Steam, but you can still play around with it thanks to the magic of Google cache.

Thanks, Eurogamer.

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.