How a teen hacker placed his own game on Steam's storefront

News
March 30, 2016 by Kris Ligman

Ruby Nealon tried for months to convince Valve there were security vulnerabilities on its Steam platform. When Valve didn't listen, Nealon went ahead and used the exploit himself to prove a point.

Watching Paint Dry is everything that it says on the tin: it's a game where you watch paint dry. Even calling it a game might be stretching the definition, because what 16-year-old hacker Ruby Nealon was trying to do with this 45-second experiment was force major PC game publishing service Steam to address a hole in its own security.

Obtaining a copy of the publishing software developers use to prepare their games for Steam, Nealon was able to spoof his way through Valve's three-step approval process. Through a combination of a hastily-assembled store page, fake Steam trading cards and approval from a Valve editor who didn't exist, Nealon marched Watching Paint Dry right into Steam's "new releases" section, to the immediate ire of players.

"You’re the reason the gaming industry’s gone to shit, you fucking scumbag scamming developer!" one Steam user told him (or something like it), according to Nealon in an interview with Kotaku. The stunt didn't go off entirely without a hitch: Watching Paint Dry went live immediately, not on April Fool's Day as planned, but that in itself reveals how effortlessly a hacker could immediately make changes to Steam's storefront if they knew what they were looking for.

Nealon, a "white hat" hacker who has been rooting out security vulnerabilities on various websites and services since he was 11, had tried to alert Valve to this problem "for the past few months" but received no response. By pulling the prank, Nealon forced a public and swift correction, and as of this writing the loophole Nealon used to get his game on Steam has already been squashed.

This didn't stop some players from taking Watching Paint Dry as a sign (or critique) of Steam's declining curation standards -- as through its Greenlight service, where many independent developers try to secure a place on the digital storefront through popular vote. Nealon said his prank was not meant to shame anyone but Valve itself.

"I’d like to apologise if I’ve caused any offense to indie game developers who are struggling to get their games on to steam [sic]," Nealon wrote in a blog post on Medium detailing the hack and why he did it. "I think Greenlight personally is a great platform for people to get their indie games a lot of exposure."

It could have been a lot worse. Nealon said he contemplated uploading his game under the title Half-Life 3 instead. "That's me liable to get sued," he noted. "I’m only 16, so I’m not sure whether I would be sued... but I’m glad I kept it as is."

I don't know; sounds like the sort of thing Zero Cool was taken to court for, and he was 11 at the time. Best to stay safe out there, kid.

Kris Ligman is the News Editor of ZAM. You have no idea how much they wanted to use a picture of Jonny Lee Miller as the header for this article. Hack the planet with them on Twitter @KrisLigman.