14 DAY TRIAL // April Fools' Day started early on Steam this year, as a security researcher known as rubiimeow (Ruby Nealon) decided to show Valve that their game upload process contains flaws that allows anyone to release games on the Steam Store without going through the review process.
Steam has already fixed the issue, and to be fair, in order to exploit it, most of you would have needed a Steamworks account, which only game developers can get.
The researcher first published fake Steam Trading Cards...
The researcher actually found two problems. The first loophole was part of the Web forms used to handle new Steam Trading Cards submissions.
He discovered that this form, which contained some sort of security measures, allowed a skilled attacker to modify the session ID value. Changing that value to "1" printed the forms displayed only to Valve employees. This allowed Nealon to view the form in its entirety as Steam reviewers see it.
He then used the details obtained from the full trading cards submission form to alter the HTTP request sent from his tethered form, changing the parameters to make it look like the cards were already reviewed by a Steam employee, and was now ready for publishing.
...and then a fake game on the Steam Store
But this was not all. He found a second Valve review bypass via another form in the Steam game review process. This process usually involves three steps.
First developers create a page for the game (Wayback Machine link here), which the researcher had no problem of doing and getting reviewed. Then game developers have to upload the game binaries. If a game is scheduled for a release in the future, this step can be skipped, which the researcher also did.
This allowed him to access the third and final step, where the game developer requests access to have his game published on the official Steam Store.
As before, the Web form that handled the game's release also contained flaws that let Nealon go around Valve's review process. The game publishing process was handled via an AJAX request sent to Valve's servers.
The researcher discovered he could fake this request by adding the game's ID and his session ID to the request manually, and then sending it to the Valve server, making it appear as it was already reviewed.
Researcher failed to set the fake game's release date for April Fools' Day
His experiment was successful, and he was able to publish a game right on the Steam Store without even one single Valve employee having the opportunity to look at his files. In this case, the researcher failed, because he forgot to set the game's release date for April Fools' Day.
"Something I’ve definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have 'Review Ready' and 'Reviewed' as two states of existence for the content," the researcher explained.
"Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a 'review ticket' or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don’t allow users to set the item to 'Released,'" he also concluded.
UPDATE: This article was updated to remove an incorrect reference to the 10.5-hour-long movie of paint drying on a wall submitted to the British Board of Film Classification.