The teenager who grabbed headlines earlier this week for hacking a fake game listing on to Valve’s Steam store says there are “definitely” more vulnerabilities to be found in the popular game distribution service.
But he won’t be the one to find them, thanks to what he sees as Valve “giv[ing] so little of a shit about people’s [security] findings.”
Ruby Nealon, a 16-year-old university student from England, says that probing various corporate servers for vulnerabilities has been a hobby of his since the age of 11. His efforts came to the attention of Valve (and the wider world) after an HTML-based hack let him post a game called “Watch paint dry” on Steam without Valve’s approval over the weekend.Once that exploit was fixed and publicized, Nealon quickly discovered a second Steam exploit, which Valve has since fixed.
This one took advantage of a cross-site scripting hole to hijack a Steam admin’s authentication cookie through Valve’s own administrative Steam Depot page.
Before it was reported and patched, this exploit could have given attackers unprecedented control of Steam’s backend, basically letting them pretend to be a Valve administrator.
Nealon tells Ars he was inspired to look into Steam simply because he had special access through a Steamworks account (acquired, apparently, though another now-fixed exploit). Looking back on those hacking efforts, Nealon said he was surprised at how easy it was to find such big holes in the underbelly of a major digital business.
“It looks like their website hasn’t been updated for years,” Nealon told Ars. “Compared to even other smaller Web startups, they’re really lacking.
This stuff was like the lowest of the lowest hanging fruit.”
“I felt like Valve were exploiting me”
After publicizing two major holes in Steam in less than a week, though, Nealon says he’s retiring from Steam platform hacking due primarily to a lack of recognition.
Simply getting Valve to pay attention to his findings was an uphill battle in the first place; Nealon writes that the “Watch paint dry” exploit was “something I’ve been trying to report to Valve for the past few months,” but it wasn’t fixed until after he publicly demonstrated its viability this weekend.
And while Valve’s security page gives public credit to a few “Hall of Fame” contributors that have found security vulnerabilities in the past, Nealon says he was discouraged to be told that listing is for “regular contributors only.”
Nealon says he’s also frustrated that Valve doesn’t have any sort of “bug bounty” program to reward users that find and report such issues.
Companies like Google and Facebook would offer hundreds to thousands of dollars to someone who alerted them to problems like the ones Nealon exposed at Valve.
“I won’t be finding bugs anymore for Valve because there are plenty of companies that appreciate the time and effort put in by security researchers,” Nealon said. “See HackerOne, which is an entire platform hundreds of companies use.
I felt like Valve were exploiting me.”
“I don’t want to sound like I’m bitching for free shit, but if this was Google or something with a similar majority of vulnerability here, Google would pay out,” Nealon told Kotaku earlier this week. “But Valve haven’t offered me anything.
I’m not pissed off, but I’m a little bit disappointed, given that it’s a company of Valve’s size.”
Nealon isn’t the first one to look for more proactive security procedures from Valve.
In 2014, some prominent members of the Steam developer community wrote an open letter urging Valve to set up a bug bounty program to encourage the discovery of more security holes. While Valve did formalize its bug reporting process somewhat in response to that request, the company said that “we don’t plan on establishing any formal bug bounty programs for any of our products at this time.” (A Valve representative was not immediately available to respond to a request for comment on this story).
Steam has been the subject of plenty of security and data privacy breaches in the recent past.
In 2011, Steam’s forums were hacked shortly before a wider data breach that may have exposed users’ personal information, along with encrypted passwords and credit card data.
In 2012, security researchers at ReVuln detailed an attack that could let hackers potentially insert malicious code onto a PC through Steam’s browser protocol.
In 2013, Ars discovered a simple method to reveal personal information about Steam accounts that had been set to “private,” leading Valve to patch the hole. More recently, Steam has seen account takeover exploits and DDoS caching issues that revealed personal user pages to strangers.
Besides implementing a bug bounty program, Nealon suggested that Valve should “hire a dedicated application security team to support their developers in writing secure code and audit existing code to look for vulnerabilities (if they don’t have one already).” If the company doesn’t, he predicted more security problems on the horizon.
“I think there are definitely still vulnerabilities out there, and after recent events, people will probably be looking extra hard for them,” he said. “I think people should report something if they find anything, but I will personally not be devoting any more time to a company that seems to give so little of a shit about people’s findings…
After all, this has happened and they still don’t give a shit.”