Watch Paint Dry -- How young hacker hacked through Steam Greenlight

Hacker used a prank to point out a security loophole on Steam Greenlight.

No, Watch Paint Dry is not a real game that passed Steam Greenlight, and it is not a photoshopped picture for April Fool's Day because it happened on March 29th. The game is a result of a security loophole in Steam that allowed people to skip protocol and post a game.

Before I explain this particular Steam loophole, let me first describe how Stream Greenlight works. The Steam Greenlight program allows game developers to submit and sell their games on Steam. Before Steam releases the game, game developers must pay $100 USD, so it can weed out any non-professional developers who don't think their game can meet the break-even point of $100. Then, developers need to earn the approval of the Steam Community to pass the Steam Greenlight. It can be a long waiting period depending on the community. After these two steps, the game can finally be released in Steam. Lastly, developers and Steam will share their revenue and Steam will help the developers to do the marketing. 

Back to the topic. A clever young hacker named Ruby, a blogger on Medium who researches of security loopholes, managed to skip the $100 dollar and Steam Community portions of the process and submitted his "game" Watch Paint Dry on Steam a few days before April Fool's Day. Just like other games on Steam, it has a trailer, screenshot, description, and feedback. 

Screenshot of Watch Paint Dry

In his Medium article, Ruby said he got a Steamworks account from Steam. This is an account for developers who develop and sell their games on Steam. People who hold these accounts are the backbone of Steam. He did not reveal how he got it, but as soon he got into the “club”, he just changed some codes and was able to release his game. Of course, in the end, Ruby got caught and Watch Paint Dry was quickly taken down. This was a part of his plan, too. His plan was to notify Valve of their security loophole.

Hacker being invited and granted access to Steamworks 

Today, high-tech companies like Google, Facebook, and Microsoft have a bounty system for these "white-hat" hackers who report loopholes to the company. Some of them even considered this to be a full time job with an accompanying high salary. This can be a great way of "submitting your resume" to a high-tech company and proving your coding skills.


Published Apr. 7th 2016
View Comments

Cached - article_comments_article_36891