16-Year Old Hacked Steam to Promote His Game About Watching Paint Dry

Well, Steam has been going on and on about how it improved its security and made changes to keep scammers out of its platform. However, they couldn’t keep a 16 year old hacker out of their system.

Ruby Nealon, the 16 year old in question, exploited a vulnerability in the system and hacked Steam to publish his game on Steam without Greenlight approval or anyone at Valve knowing about it.

The game is called Watching Paint Dry, which is what it’s about – watching paint dry, literally. The vulnerability he exploited has now been fixed thanks to Nealon.

He in contact with Valve and helped them fix this backdoor into Steam, which was his agenda from beginning.

I have been in contact with Valve who have now fixed the vulnerability, wrote Nealon at the end of his post. TL;DR — I was responsible for Watch paint dry. Getting caught was part of my plan. It’s just a prank, bro!

So how did he manage to publish his game on Steam? Well, Nealon manipulated a javascript function on Steam by adding his app ID and session ID from his trading cards.

Something I’ve definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have “Review Ready” and “Reviewed” as two states of existence for the content. Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a “review ticket” or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don’t allow users to set the item to “Released”.

A smart 16 year old indeed!