A 16-year-old lad in Manchester, England, exploited flaws in Valve's developer site to publish on Steam an unapproved game about watching paint dry.
Ruby Nealon, a computer science student at Salford uni, said a set of programming blunders in the Steamworks website let him sneak his Watch Paint Dry roleplaying game past Valve's censors and onto gaming store Steam without their approval.
"The Steam store had a game posted to it on Sunday called Watch Paint Dry that was never reviewed by anyone at Valve," Nealon told El Reg. "I published it after they ignored several reports of the vulnerabilities."
Nealon first managed to blag an account on Steamworks, Valve's developer platform, and created some basic in-game trading cards. He then fiddled with the HTML form data sent to Valve's servers to trick the system into thinking they had been approved by a Valve editor. He basically changed his user ID number in a form element from his own to a Valve employee's and then changed the approved state to accepted, and submitted it. Bingo, that worked.
He then used a session ID associated with the approved cards as a session ID for his game package. This fooled the system into think his game was approved, and that allowed him to publish it to the Steam store on Sunday.
Still better than Duke Nukem Forever
"Something I've definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have 'Review Ready' and 'Reviewed' as two states of existence for the content," said Nealon, who started his uni studies aged 14 and also freelances as a web developer.
"Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a 'review ticket' or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don't allow users to set the item to 'Released'."
Sadly, Watch Paint Dry had only a short run and was pulled from Steam before it could join other iconic boring titles such as Desert Bus and Advanced Lawnmower Simulator in the dull gaming pantheon.
On the bright side, everyone is a bit more secure for the experience, as Valve told The Register on Tuesday that it has fixed the vulnerabilities. ®