Steam hacker says more vulnerabilities will be found, but not by him

(credit: Aurich Lawson)

The teenager who grabbed headlines earlier this week for hacking a fake game listing on to Valve’s Steam store says there are “definitely” more vulnerabilities to be found in the popular game distribution service. But he won’t be the one to find them, thanks to what he sees as Valve “giv[ing] so little of a shit about people’s [security] findings.”

Ruby Nealon, a 16-year-old university student from England, says that probing various corporate servers for vulnerabilities has been a hobby of his since the age of 11. His efforts came to the attention of Valve (and the wider world) after an HTML-based hack let him post a game called “Watch paint dry” on Steam without Valve’s approval over the weekend.

Once that exploit was fixed and publicized, Nealon quickly discovered a second Steam exploit, which ValveĀ has since fixed. This one took advantage of a cross-site scripting hole to hijack a Steam admin’s authentication cookie through Valve’s own administrative Steam Depot page. Before it was reported and patched, this exploit could have given attackers unprecedented control of Steam’s backend, basically letting them pretend to be a Valve administrator.

Read 12 remaining paragraphs | Comments