scroll down

Steam hacker Talks About Vulnerabilities in Steam, There are Still Some

Ruby Nealon, a Steam hacker now made infamous since he hacked the Steam system and put a fake game (Watch Paint Dry: The Game) up on the online game retailer, claims that the Steam website has a large number of vulnerabilities in it, which would explain how often Steam gets hacked over the holiday season.

Nealon also came across a second exploit a short time after Watch Paint Dry was addressed and publicized, which allowed him to take advantage of a cross-scripting hole in the system to allow him to steal an administrator’s authentication cookie through the Steam Depot page. Though this exploit has also been patched, it would have given other hackers like Nealon the ability to pretend to be a Steam administrator.

Nealon’s hacking has made him extremely unimpressed with the security system that Valve uses for Steam.

“It looks like their website hasn’t been updated for years. Compared to even other smaller Web startups, they’re really lacking. This stuff was like the lowest of the lowest hanging fruit.”

Steam was also hacked on Christmas Day back in 2015, which caused Valve to took it down for several hours before the issue was addressed.

However, Nealon’s apparent vendetta against Steam also has more petty means: despite him bringing two different exploits in Steam to Valve’s attention, Valve has not made him part of the “Hall of Fame” on its security page because it was for “regular contributors only”, and has not paid him any sort of “bug bonus” (where you get paid for finding bugs or flaws in security and coding) for him finding the two exploits.

The Steam hacker says that he feels like Valve is “exploiting” him.

“I won’t be finding bugs anymore for Valve because there are plenty of companies that appreciate the time and effort put in by security researchers. See HackerOne, which is an entire platform hundreds of companies use. I felt like Valve were exploiting me.”

“I don’t want to sound like I’m bitching for free shit, but if this was Google or something with a similar majority of vulnerability here, Google would pay out. But Valve haven’t offered me anything. I’m not pissed off, but I’m a little bit disappointed, given that it’s a company of Valve’s size.”