Steam is a great platform for new indie devs to make a name for themselves and get their product out there, but sadly, Valve has been lax about policing what games make it to the storefront, allowing quite a bit of less desirable (and that’s putting it mildly) content. Then over the weekend a game called Watch Paint Dry: The Game appeared on Steam. As you can imagine, people were less than thrilled about it.
The game itself is 45 seconds long and is just about (you guessed it) watching paint dry. While the game was posted without going through Valve’s usual approval process, it wasn’t done with the intention of releasing an inferior product to make a quick buck, but to point out a flaw in Valve’s system.
The whole thing was done by a 16-year-old named Ruby Nealon as a prank/last-ditch effort to get Valve’s attention. Nealon noticed a massive flaw in Valve’s system and after they refused to listen, he decided to exploit the hole and release a game without Valve’s approval.
First a little back story on Nealon, he looks for vulnerabilities in major companies’ systems for a living, having told Kotaku he has helped find between 75 -100 vulnerabilities for various major companies, like Microsoft, since he was 11. So it’s safe to say this kid knows his stuff.
In Nealon’s post on Medium, where he documented the ordeal, he said it all started with obtaining a Steamworks account (essentially a program that helps devs get their game ready for Steam). This is where he noticed the vulnerability. Like everything else about Nealon’s prank, his invitation to developer program wasn’t obtained through the proper channels, and he didn’t disclose how he was able to get access, saying:
I’m not going to comment on how/why I have access to Steamworks but I will confirm it was not exploiting any web forms, not Greenlight and not through direct contact with someone from Valve. Despite it no longer working, I’m not going to give any details on how this was done so please don’t ask! I have good reasons not to.
After making the game in RPG Maker Nealon created a fake set of Steam trading cards. Normally a developer would need a Valve editor to look over the cards and approve them, but by digging into the system’s code he was able to make it think the cards had been approved without Valve actually seeing them. Once that was done he moved on to getting the game onto the store, which means making it through Valve’s approval process.
According to Nealon, traditionally, getting Valve’s approval is a three step process: first, you submit your store page to a review queue, then you submit the final or near-final build of your game, then you are given the option to release it. Nealon took a different route, choosing to look through the code instead. In doing so, he found a function called “ReleaseGame(appid, data)” and with a little trickery got the game released.
Like I said at the top of the article, at first people weren’t happy that the game was release; with some people blaming him for the state of the gaming industry. But once word got around that it was all a prank and Nealon was trying to point out Valve’s problem the hate died down.
Overall Nealon was happy with the public’s reaction saying in an interview with Kotaku:
I’ve been happy with people’s reaction to it. People are pissed off about it, and I wanted them to talk about it. I wanted people to realize that this is one of the Internet’s biggest websites, and this is the back end. A f**king 16 year-old did it in two nights.
Valve quickly contacted the young hacker and has since fixed the issues. I guess it goes to show that if you want something done, you have to ruffle a few feathers.