Valve bans Game Developer from Steamworks for pointing out a vulnerability

[erbkaiser]

Just in case anyone fails to grasp the potential security risk of this -- on Windows, the main platform Steam is used on, STEAM BYPASSES UAC BY DESIGN (using the Steam Client Service).
Let that sink in for a second.

This exploit allowed anyone with Steam developer access to place ANY Javascript on a Steam announcement, which means it will automatically be on Steam's front page in the 'Recently Updated' section, and any script contained on that page will be executed by the built-in Steam browser with elevated user access.

 

[Vareoth]

Could the bug have been directly used to damage him? If not, then why did he care? Preventative measures are never taken by companies as big as Valve. Better let them burn at their own volition than try to save them from their own shortsightedness.

Good intentions don't get you far when directed at people like them. I hope he gets unbanned though.

 

[theswordsmn]

This is starting to sound like an even more ridiculous premise to the 3rd Die Hard movie....

 

[agent9]

that's the way valve works. fix it when shit hits the fan. as big of a fan as I am I say let them burn a bit next time. then maybe they'll take it seriously.

 

[NuclearKangaroo]

And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

 

[Sanunes]

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

valve shouldve paid attention to him earlier as well, but like a said, he REALLY shouldnt have done that, the ban itself says he violated the steam subscriber agreement

definitively terrible to see this happen tough

Well, I think it would play out more like this article when two 14-year old students were able to hack the Admin mode of an ATM.

Link [http://digital-era.net/14-year-olds-hack-atm-with-default-password/]

 

[TheDrunkNinja]

Title's kinda misleading, dude. You make it sound like Valve banned him because they didn't want to hear what he was trying to tell them. He got banned for hacking their system. In fact, I'm more than willing to bet he was expecting to be banned after they fixed the vulnerability. Maybe he can make an appeal later, but for the moment, he'll just have to live with his decision.

Valve's community management isn't a judicial system. They're going to ban whoever breaks the rules, period. They aren't meant to make judgments on whether or not you broke the rules for the right reasons.

EDIT: Just so we're clear, I'm not condemning the guy for what he did. So long as he's willing to live with the consequences, I'd say job well done. If, however, he's going around crying about it on the internet, that's where I have no sympathy. He doesn't need defending, and Valve doesn't need condemnation.

 

[Scars Unseen]

And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

Yes. He is a game developer with a business relationship with Valve. He is not a security expert under the employ of Valve. He did well in reporting the vulnerability to Valve, but that is where both his responsibility and rights end on that subject. By going a step further and exploiting the vulnerability, he left himself open to potential consequences for his actions.

It's fine to take a moral stand that conflicts with ethics and legality, but you have to be willing to accept that your actions may have a negative personal outcome. Anything less is childish.

 

[erbkaiser]

And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

Contacting devs? That is how he got banned in the first place. He was in the Steam dev IRC and they were talking about the exploit. To prove what he said existed, he altered the update to show the Harlem Shake -- Valve finally noticed, and banned him.

The Stanley Parable dev showed the same exploit still exists for attributes (not published, but valid): https://twitter.com/GranPC/status/478554937111371776
I wonder if Valve will ban him too.

 

[NuclearKangaroo]

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

valve shouldve paid attention to him earlier as well, but like a said, he REALLY shouldnt have done that, the ban itself says he violated the steam subscriber agreement

definitively terrible to see this happen tough

Well, I think it would play out more like this article when two 14-year old students were able to hack the Admin mode of an ATM.

Link [http://digital-era.net/14-year-olds-hack-atm-with-default-password/]

the situation is slightly different tough, the developer already knew this exploit worked, the kids didnt

he shouldve looked into other options before doing this, breaking the rules ideally shouldnt be the plan B

 

[Johnny Novgorod]

They didn't ban him for "pointing out a vulnerability", they banned him for hacking the motherfucking system.

 

[The Wykydtron]

Valve/Steam ignoring perfectly reasonable requests and demands? I'm nowhere near surprised, is this a good time to mention how Steam's customer service is so poor it's technically illegal in the UK?

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Also that Harlem Shake example sounds hilarious, +1 interwebz to that guy. Not like Steam will reverse the ban though, that would be far too reasonable of them, listening to their community even. Dangerous thinking.

 

[NuclearKangaroo]

And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

Contacting devs? That is how he got banned in the first place. He was in the Steam dev IRC and they were talking about the exploit. To prove what he said existed, he altered the update to show the Harlem Shake -- Valve finally noticed, and banned him.

The Stanley Parable dev showed the same exploit still exists for attributes (update since removed): https://twitter.com/GranPC/status/478554937111371776
I wonder if Valve will ban him too.

wait, did he post that update? thats what i think got the eurotruck dev banned

 

[Ninjamedic]

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Two Years? They've been like this for the longest time, hell they're responsible for almost every anti-consumer precadent in gaming. They were just good at PR.

 

[Animyr]

Seems the title was misleading; he was actually banned for EXPLOITING the vulnerability, not for merely talking about it as the title suggests.

 

[Vegosiux]

Seen it happen before. A guy discovers a vulnerability in our largest bank's system, goes unheard, then demonstrates it by leaving a note that if they contact him, he can help them fixing it. Instead they sued him into suicide.

Such stuff shouldn't happen, and Valve really shouldn't pull this.

They didn't ban him for "pointing out a vulnerability", they banned him for hacking the motherfucking system.

While true, it's still counterproductive. This guy had no malicious intent from what it looks like. Hope in this year of his suspension they contact him and work with him to resolve the vulnerability, at least, if the ban doesn't get reversed.

 

[gigastar]

Whether or not the guy was in the right, going out and using the exploit to prove your point is not the correct way to get your point across.

Not to mention the obvious ToS violation. Hes lucky he only got a year.

 

[Ninjamedic]

While true, it's still counterproductive. This guy had no malicious intent from what it looks like. Hope in this year of his suspension they contact him and work with him to resolve the vulnerability, at least, if the ban doesn't get reversed.

If they do, it'll be as quiet as possible unless they're forced to admit they fucked up in the event of a large-scale hack.

Right now it's about making an example of him, exactly what Sony did.

 

[Johnny Novgorod]

They didn't ban him for "pointing out a vulnerability", they banned him for hacking the motherfucking system.

While true, it's still counterproductive. This guy had no malicious intent from what it looks like. Hope in this year of his suspension they contact him and work with him to resolve the vulnerability, at least, if the ban doesn't get reversed.

It's like disabling a house's alarm system and vandalizing it "just" to show the owner that you and possibly someone else could. I guess I'll go get a better alarm then but it's still illegal and you're still going down.

 

[Scars Unseen]

Seen it happen before. A guy discovers a vulnerability in our largest bank's system, goes unheard, then demonstrates it by leaving a note that if they contact him, he can help them fixing it. Instead they sued him into suicide.

Such stuff shouldn't happen, and Valve really shouldn't pull this.

They didn't ban him for "pointing out a vulnerability", they banned him for hacking the motherfucking system.

While true, it's still counterproductive. This guy had no malicious intent from what it looks like. Hope in this year of his suspension they contact him and work with him to resolve the vulnerability, at least, if the ban doesn't get reversed.

You're right. Such stuff shouldn't happen. People should know better than to exploit security systems just to prove a point. The Euro Truck dev(and your bank guy) really shouldn't have pulled that.