357
I am the guy that uploaded Watch paint dry to Steam and exposed a vulnerability in the submission system! AMA!
My short bio: This is my second AMA actually, first one is here if anyone's curious. Never thought I'd be doing a second! I submitted the game Watch paint dry to Steam using a security vulnerability for which my explanation has received a lot of press! AMA!
My Proof: Twittarrr
Just a note, I will be answering questions all night (until about 1:30 to 2am BST) and the rest tomorrow :) I will try to answer every question!
hiilikecats49 karma
Was thinking of doing ice defrosting. I'd start it by getting it until moisture shows up, then do 2 more episodic parts where it melts a little more, then never make a game like it again.
tezoatlipoca36 karma
Hey! Im a big fan of aesthetically complete games, so WPD really appealed to me. I think Im about 40 hrs in and so far the gameplay is exactly what I was looking for. What has me excited is that unlike other games which may only have ~6-8 hrs, I hear the single player is good for 100+ hrs... and has unlimited replay value.
Having said that, is there any immediate plan for Watching Paint Dry 2? or perhaps a paint hue micro-transaction system?
hiilikecats10 karma
Already answered a similar question :)
Was thinking of doing ice defrosting. I'd start it by getting it until moisture shows up, then do 2 more episodic parts where it melts a little more, then never make a game like it again.
hiilikecats10 karma
Nah I'll pay some other company to make a game that show's the paint drying from another perspective.
ploki122-2 karma
Dang, at first I read that as "Nah, I'll play some other company and make make a game that show's the paint drying from another perspective."
I'm kinda disappointed, but I guess that's not bad either.
hiilikecats8 karma
I'm referencing Half Life : Blue Shift, if you missed the reference. :p
hiilikecats35 karma
I was very tempted to and it would've definitely gotten a much bigger response but I wanted to remain responsible and not piss Valve off too much. I think Watch paint dry was so close to being a real Steam game in line with some of the other joke Greenlight games that a lot of people thought it was genuine! :p
virodoran16 karma
How was Valve's response to your vulnerability report (once you finally got through to them). I don't believe they have a bug bounty program, so was it hard to get ahold of someone who would actually take you seriously?
In your blog post it sounds like you didn't get through to them until after you published the game. Once you got ahold of someone, were they actually good about following up with you, finding out what you did and fixing it and such?
hiilikecats33 karma
They fixed it same day. Didn't acknowledge me on the hall of fame as that's "reserved for reporters that provide several high quality reports over time". No bug bounty was offered. A bit disappointed to be honest, for a company of Valve's size. I don't expect one now and never did, money isn't the biggest motivating factor for me, but if this was Google, Facebook, or another big internet company, they'd be paying out. Even smaller ones thanks to HackerOne!
hiilikecats9 karma
Didn't like school. Been going to online college since I was like 10, thought I'd step up to the real thing. Sort of cheaper too. I had to sell a lot of my stuff as my family couldn't afford to pay for my tuition fees. With "real" university, I get my tuition paid by the government on a loan.
slackvariable5 karma
And your parents were fine with this / encouraged this. And your teachers?
hiilikecats6 karma
Parents encouraged it yes. I was ahead in school but my high school was reluctant to let me sit my GCSEs early so I just did them privately. I integrated really well into my university with the people here and I'm 101% sure I'm having a much better time that I would be in high school! I've met a lot of cool people, travelled to Croatia for a summer school and got myself an internship with a major games studio doing InfoSec :)
pretzelsaregood2 karma
Props dude. So CroTeam? Someone else?
My Brother-In-Law is a Graphic Artist from Zagreb. Any ideas on how he could get a foot in the door?
hiilikecats2 karma
CroTeam
I traveled to Croatia for the summer school but my internship is in Ireland. I'll be keeping it quiet as I don't want anything to reflect on them as a company.
pretzelsaregood1 karma
Cool cool. Good luck with it. If you've got any leads on who to contact, I'd appreciate it. If not no worries. Sorry for bugging you on Twitter.
Edit: Just realize the company is in Ireland, you're not working remotely for CroTeam. Else I think that's what you meant. Sorry for the inconvenience. Don't want have your AMA reflect on the company in Ireland, CroTeam, or career prospects. Good luck.
DrunkWhenSober5 karma
This is going to be a technical guide further down but getting access to Steamworks for me was also what started my investigation into this. I’m not going to comment on how/why I have access to Steamworks but I will confirm it was not exploiting any web forms, not Greenlight and not through direct contact with someone from Valve. Despite it no longer working, I’m not going to give any details on how this was done so please don’t ask! I have good reasons not to.
So, c'mon, how did ya do it?
hiilikecats6 karma
All I'm going to say is I've got very good personal and business based reasons behind why I'm not releasing this, but I will elaborate and say it was social engineering performed over a few days. No false details about myself were given however (i.e. I did not make out to be D.I.C.E, they knew who I was). They also did not know I wanted the account for security research (nor did I!)
DrunkWhenSober1 karma
I have done the same thing. I've received a couple dev kits under the guise of a "product tester". I mean, it's true, I'm usually testing the product.
Also, a lot of companies in China have some insecure leaks where their source code is posted on Github. But I only deal with that because my company also sells chinese products. They have horrible source code. I wouldn't bother with it if I didn't have to open it up.
Thanks for the info. That's pretty much what I assumed went down.
hiilikecats2 karma
You're not really on the right line of thought, but I've done that a couple of times as well I will admit :p
justscottaustin5 karma
How did it take Steam so long to realize that their integrated platform is -- pretty much by definition -- subject to code injection?
hiilikecats5 karma
I tried notifying them several times before I did it but didn't get a response. Whether they didn't receive the emails or not I don't know, they don't have an autoresponder confirming they received it. I sent another email shortly after releasing the game and they replied to that and sorted it the same day.
de_stroyd3 karma
What do I need to sacrifice to the gods above in order to get a steam key? All of my life I have wished for a CIA guy card and it finally arrives, impossible to acquire.
hiilikecats3 karma
I'm not releasing them and so far it's not the direct next step in my master plan. Trading cards are no longer available anyway.
Protosega1 karma
A few got on the market somehow, what happens to the people that paid for them?
I saw a few sell for $60+
hiilikecats1 karma
Idk dude :< Steam support sucks so I doubt they're getting a refund. I didn't want them flooding the market anyway... I gave a few keys out to randomers, shame to see they tried to profit from it :/
Fortembras883 karma
What is your overall opinion of valve as a company after all of this? What inspired you to do this in the first place?
hiilikecats10 karma
Inspiration was the social engineering attempt for the steamworks account working.
My opinion of Valve has gone down but given how they handle stuff like this it's not unexpected. They did not offer a bounty, did not initially respond and have let me keep my Steamworks account and told me their "hall of fame" (acknowledgements) is for people who consistently submit bug reports. Now I don't want to sound salty but I kinda take that as "Thanks for the bug, but you're gonna have to work harder than that if you want an actual acknowledgement. Keep your Steamworks account and keep doing our security teams purpose for free."
To be fair it worked though, I have found more since and reported them (unrelated and sort of less severe?)
Fortembras882 karma
I'm sure that if this big of an issue was looked over in the Web page source, there has to be a lot of other potential risks elsewhere that could enable someone to do some pretty nasty stuff. I wonder if some of this is being done and we just don't know.
hiilikecats6 karma
Based on the social engineering attempt, I believe apart from Valve employees I'm the only person with a Steamworks account that doesn't have plans to legitimately release a game. I'm not trying to big myself up or anything, but a lot of it was timing, there were a lot of factors in to play here. I always find security holes look way more obvious when they're explained anyway. I doubt this is being done and Valve don't know about it.
RetroRiot3 karma
Were you ever curious/scared if there was going to be repercussions from valve once the game hit the store and everything brought to light?
Bonus: So are the emotes are gone forever? Am I never going to see and own smol nozomi and ethan bradberry?
hiilikecats3 karma
Emotes are gone for good unless I find another way around their security but they did ask I don't do anything public facing again.
For the first question, I didn't know honestly.
abaiz2 karma
According to your Twitter it says you're a high school drop out? If you had a choice would you go back, and how has that affected your current profession?
hiilikecats2 karma
If you read my other AMA (linked in the top) and my website, I dropped out of school when I was 14 to pursue a degree full-time and I'm still studying for it. Nearly finished Year 2!
Johnny_The_Lizardman2 karma
I am so exited for your game! Will you make a sequel or another game afterwards?
hiilikecats7 karma
Honestly, I was surprised. Like I don't think I'm a top-tier hacker, and a mix between the fact this worked and someone else hadn't already discovered it shocked me.
hiilikecats3 karma
I'm mates with Triple Q (the guy that drew it) and asked him if I was welcome to use it and he said sure and even made me a sprite version! I used the same trading card release exploit detailed in the guide to do it technically, if that's what you're asking!
hiilikecats4 karma
Very powerful tool and there have been some amazing games made with it! Very good for making paint drying simulators.
res30stupid1 karma
Do you feel that too many people are exploiting PC Gaming such as Steam and overflooding the distribution service with games that are incomplete or below standards? 'Less is more', so to say?
hiilikecats2 karma
Not my thing to comment on, but honestly I think it's a supply/demand thing. Steam controls the supply (especially with trading cards and emoticons) and therefore creates a demand. We need some joke games in my opinion. Whether there are too many I'm not sure, but I'll say that some joke games I've played are better than serious ones that are on greenlight. Serious != good.
CrazyDave23451 karma
What is your biggest hack ever? If its the steam hack, what's your second biggest hack? [I'm a computer programmer]
hiilikecats1 karma
Probably my corsair one or another that the company didn't acknowledge so I can't release details! I'll say it's government related though.
hiilikecats3 karma
Dude I don't think I'm getting a job there after all this and unless they have a sudden change of security ethic I don't think I'd want one lol
ButterFlamingo1 karma
Do you think Steam would have accepted your game if they looked at it?
hiilikecats2 karma
No. I think greenlight is a demand based thing but they do have some quality control and a 45-second game is not something they'd allow on the store.
hiilikecats5 karma
I'm not a game dev. I have an idea of how to release this now, and will be doing so hopefully on Friday.
chamuth1 karma
When your 75 and retired, do you believe you will be able to reflect on your life proudly and believe your contributions to the world will be worth it?
876181117611 karma
Have you/did you look at other pages with the user id as 1? If so, what did you find?
hiilikecats1 karma
The Steamworks website is really patched together, of everything I tested (I only test manually), this was the only form I saw that had an editor_accountid field unless I've made an oversight.
ducemon1 karma
How did the idea of an AmA occur to you? ;)
Seriously though,what's your favourite RPG game?
hiilikecats8 karma
Undertale by far. Pokemon used to be a favorite of mine but it felt like every new release was getting more and more dull. Undertale is a small, but powerful game that was incredibly well made and is just $10. Mine was gonna be $2 for fk sake!
ducemon2 karma
More plans for cheap blockbusters like "Watch the paint dry"?
Maybe "Watch Undertale sales go up"?
donavanshepard2 karma
You should try Lisa:The Painful RPG if can handle some pretty dark themes for a game.
hiilikecats2 karma
Thanks dude, I'm super busy at the moment with all this and other projects but it's on my 'must play' list now!
hiilikecats1 karma
I don't really "study" to be honest. I learn most of my stuff reading articles off Reddit and stuff in my own time. In terms of coursework and revision for uni, it still leaves me with a lot of free time. I play a lot of guitar usually when I'm not doing anything else or nap :p
justscottaustin0 karma
Would you rather code-inject one horse sized duck or 100 duck-sized horses into Steam's platform? And how long do you think it will take them to realize that their entire platform is vulnerable based on their (lovely) tight distribution and integration model?
While I haven't explored anything other than the obvious exploits, isn't there a SteamOS? Wouldn't that be a better stepping stone for such exploits?
hiilikecats1 karma
100 duck-sized horses, but developers cannot create appids themselves and I don't have a vulnerability for that (yet). I'll be disclosing some other unrelated vulnerabilities once they're fixed.
flarn20060 karma
About getting a Steamworks account, you said this:
Despite it no longer working, I’m not going to give any details on how this was done so please don’t ask! I have good reasons not to.
Since you said we can ask you anything now, how did you get a Steamworks account? :)
Just kidding. (Unless you really do want to answer.) What I really came here to ask is what those "good reasons" are.
hiilikecats2 karma
That'd just hint at it more dude. I'll say that it's not knowing anyone from Valve, though.
hiilikecats1 karma
Right now is not the time. If I do reveal it, I will give an explanation why now was not the time also.
33L_0 karma
Do you develop any "real" games? Not hating on WPD, but do you have any other projects going on?
hiilikecats1 karma
For some reason a lot of media outpoints have referred to me as a "game developer".
I am not a game developer!!! I'm an infosec (information security) person :p.
In terms of infosec projects, yes I do have a few projects I'm working on and am always looking for bug bounties!
NippleDippers138 karma
What will your next game be? Fingers crossed for grass growing
View HistoryShare Link