Sometimes the only way to get an organization to listen to you when it comes to existing vulnerabilities in their products is to exploit them yourself and make the proof of the exploitation visible.
That’s what Ruby Nealon, a 16-year-old computer science student at University of Salford did: in order to prove that he discovered a couple of review bypass bugs affecting Valve’s Steam platform, he leveraged them to get some Steam Trading Cards approved, and to publish a bogus game on the Steam Store without it being reviewed and approved by the company’s employees:
How he managed to do that and technical details about the bugs can be found in this blog post, but the bugs are no more – Valve has already fixed them.
In short, he managed to change the values of his submissions to make it look like they were already seen and approved, and the Valve server just set their status to “Released.”
“Something I’ve definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have ‘Review Ready’ and ‘Reviewed’ as two states of existence for the content,” he noted.
“Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a ‘review ticket’ or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don’t allow users to set the item to ‘Released’.”
In order to be able to do all of this he had to be invited to participate (open an account) in the Steamworks Developer Program, but he decided not to explain how he managed to get invited, even though that loophole has also been closed.
He said that he has good reasons not to share those particular details, but explained that he didn’t exploit any web forms, Greenlight or had direct contact with someone from Valve.