A security exploit in Steam’s database, which allowed any user to release their game onto Steam for free, has now been patched by Valve.
This change comes after one coder managed to get their game on the Steam Store without it ever being approved by anyone at Valve or even touching the Greenlight process.
The normal process for a small indie developer to get a game on Steam these days involves going through Steam Greenlight. As part of that you have to pay a “small” fee of £70 ($100 USD) to even get it listed on the platform, before users can vote to decide the game’s fate. This is used as a barrier to reduce the amount of low effort games posted on the service.
Ruby (@rubiimeow), a programmer and computer-science wizz from Manchester, managed to get their game “Watch paint dry” on Steam via a loophole in the Steamworks backend. This exploit has now been closed after Ruby contacted Valve after releasing the game.
As detailed in Ruby’s breakdown of the process on Medium they were able to set the game as “Released” themselves without ever needing the go-ahead from Valve. By simply editing the source of the webpage in their browser they were able to spoof the approval of someone from Valve and release the game. Through this process Steam Trading Cards were even added and again “Approved”.
“This is no more than a prank and was merely to test something I’ve been trying to report to Valve for the past few months — the ability to get any game you want on Steam, without Valve ever even having a look at it.”
Ruby did this as a way of finally getting Valve’s attention after they seemingly refused to acknowledge Ruby’s attempts at contacting them about this exploit.
Sadly now the Steam store page for “Watch paint dry” has been removed since the loophole was closed but you can still view it in Google’s cache of the page here.