We look at the drying of paint: How I filled the game on the Steam Store without any approval from Valve

Did I plan to get caught? Of course!

If you visited the Steam homepage on Sunday evening, you might notice a new game: “We are looking at drying paint.” This event was the cause of lively discussions on the forum, where users discussed the loss of quality control by Valve in the Steam Greenlight service. However, this game never got into Greenlight. I didn't even pay $ 100 to publish games there.

It seems to me that Greenlight is a good platform for independent developers promoting their games, and I want to apologize to all the developers I could insult. It was just a practical joke, as well as a test of my theory, which I tried to convey to Valve within a few months - the ability to place any game on Steam so that Valve would not even see it. All vulnerabilities have already been fixed, and this guide has only historical value. By the way, the game is not related to the protest about censorship in the cinema.
')

We get an account Steamworks

My small investigation into this whole story began with accessing Steamworks. I will not tell you how and why I got access, but I did not use any vulnerabilities in either the forums or Greenlight, and did not communicate with anyone from Valve. I will not disclose these details, and do not ask.



In general, I got access to Steamworks (Valve's internal platform for hosting games on Steam, editing achivok, DRM, multiplayer, etc.), and after that I got the idea to search for vulnerabilities. It was approaching April 1, and I decided to use this opportunity to publish a nameless app and draw Valve’s attention to the problem.

I will omit the description of the creation of a 45-second paint drying simulator in an RPG Maker, since there is nothing to be proud of, and it doesn't matter.

Getting Steam Trading Cards Approval

Naturally, what kind of game would it be without Steam cards? I made the cards for the comic set in Photoshop. But doesn't Valve have to look at cards, emoticons and backgrounds before launching?

On the status page there are several initial options:



And what is there in the source?



Interestingly, both the session and the account ID of the editor are tracked. Let's try to change the ID to one that may belong to the Valve employee (say, 1), change the value of the select to non-existent and see if we get another form of response.



Interestingly, the replacement "last editor" really turned out to be an employee And if we again save this form with the value "Released"?



What happened? When I sent the wrong request, the server returned me a full list of options with their values. I saw that Released had a value of 5. Then I updated the form to return my editor_accountid, and changed the value of the select to 5. And the server accepted the command as if it comes from a developer whose cards have already been approved. The server did not check if the cards were already approved by someone from Valve, and just changed their status.

Valve approval process

The company has a three-stage process of placing something on Steam. First, you send your store page for inspection, then the final build of the game, and then you are given the opportunity to release it.

Release game

The Steamworks site mainly uses AJAX. JS-code is not obfuscated and visible to everyone (who is authorized in Steamworks). I found an interesting feature “ReleaseGame (appid, data)”. Apparently, she did a typical AJAX request and made a release of the game.



Calling the ReleaseGame function with parameters 445730 (my appid) and empty data gave me 403 status. Looking at the other functions, I saw that almost all of them add a value to the JSON request called sessionid - we saw this id before when we released our cards.



Total, we call ReleaseGame (445730, {'sessionid': 'my_session_id'):



We go to the store Steam



Yeahuuu! I admit, I actually wanted the game to appear in the "coming out on April 1" section, and did not appear on the site until Friday - and it appeared immediately in the new items section. And of course I wanted to find out how far along the path of the game’s release I could go - but I decided that it was better for her not to appear in the list of games available for purchase.

I contacted Valve, who have already fixed this vulnerability.

From all this, I learned that when working with user-generated content, it is not necessary to make two different statuses “ready for review” and “approved”. Instead, you can issue a ticket that indicates that the game is on approval, and do not change the status to "approved" as long as the ticket exists. Or simply do not allow users to change the status to "approved".

¯ \ _ (ツ) _ / ¯