Watch Paint Dry: How I got a game on the Steam Store without anyone from Valve ever looking at it.
Was getting caught part of your plan? Of course!
If you were on the Steam homepage on Sunday night, you might have noticed a somewhat interesting new title available: “Watch paint dry”. This sparked a lot of controversy (and I, honestly, had a little bit of fun in the forum :p) on Steam as people were claiming that Valve/Steam had lost all quality control for games on Greenlight. But this game was never on Greenlight. In fact, I haven’t even paid the $100 “no time wasters fee” to post games to Greenlight. I think Greenlight personally is a great platform for people to get their indie games a lot of exposure and it has done and will continue to make working as an indie game developer a viable career option. And I’d like to apologise if I’ve caused any offense to indie game developers who are struggling to get their games on to steam. This is no more than a prank and was merely to test something I’ve been trying to report to Valve for the past few months — the ability to get any game you want on Steam, without Valve ever even having a look at it. This is an already outdated guide as Valve have fixed these issues, but if you were to travel back in time then this is a definitive guide on how to release your game! Just another quick note, this is nothing to do with the film censorship protest- I only found out about that today, this doesn’t have as much “meaning” behind it.
Getting a Steamworks account
This is going to be a technical guide further down but getting access to Steamworks for me was also what started my investigation into this. I’m not going to comment on how/why I have access to Steamworks but I will confirm it was not exploiting any web forms, not Greenlight and not through direct contact with someone from Valve. Despite it no longer working, I’m not going to give any details on how this was done so please don’t ask! I have good reasons not to.
Either way, I’d gotten access to Steamworks (Valve’s internal publishing platform for Steam and backbone for game achievements, DRM, multiplayer, etc…) and this gave me the idea to look around for vulnerabilities. I tried contact Valve about these but didn’t get a response. Eventually, nearing April, I decided to use the “untitled app” for an April Fools prank to try and get Valve’s attention about the issues.
I’m going to cut out the part where I made the 45-second long paint drying simulator in RPG Maker as I’m not particularly proud of it and it’s not relevant.
Getting the Steam Trading Cards approved
What sort of game would “Watch paint dry” be without some amazing trading cards? After 10 minutes in photoshop I’d made a basic joke set to play about with. However, Valve need to review the cards, emoticons and backgrounds before I can release them. Ah, but do they?
Looking at the page from first glance, we can see the release status has a few initial options:
Interesting, what about the source behind this form?
Interesting they’re tracking my session AND the editor account ID. Let’s try changing this to someone who might work at Valve (i.e. 1), change the value of the select to something that doesn’t exist , and see if we get back a different form.
Hmm… that’s interesting. The new “Last editor” is someone from Valve. And if we save the form again with the value of the selected “Released” box?
So what happened here? To sum it up, when I put in the bad request, it returned a full list of options with their values. In this case, I saw that “Released” was value 5. Refreshing the form to get my “editor_accountid” back and changing the value of the select box for “Ready for Review” to 5 from 3 and saving it got to the server as what might be a genuine request from a developer whose trading cards were approved. The server did not check if someone from Valve had already approved this, and just set the status as released. Okay, onto getting the game on to the store.
Valve’s approval process
To give you a bit of insight, before Valve puts anything on steam, they have a 3 step release process. First, you submit your store page to a review queue, then the final or near-final build of your game, then you are given the option to release it.
The main event: releasing the game
The Steamworks website is majorly AJAX. All the code for the Javascript functions that powers the source is not obfuscated and readable by anyone (authenticated into Steamworks at least). There’s some interesting code, but as this game was a proof-of-concept, I stuck to what was relevant and found an interesting javascript function called “ReleaseGame(appid, data)”. This seemed to make a typical AJAX request (though there wasn’t any authentication in it) to Steam and seems to, as it says, release the app.
Making a call to ReleaseGame with the parameters 445730 (my appid) and blank data gave me a 403 (access forbidden) error. Interesting. I had a look at some other functions in the file and noticed almost all of them were adding a value to the JSON request called “sessionid” with the Session ID that we saw before when releasing our own trading card set.
So, calling ReleaseGame(445730, { ‘sessionid’: ‘my_session_id’)?
And over to the steam store…
Tah-dah! I will admit that it appearing straight away in the new releases section was an oversight on my part. I initially wanted it to have “Coming April 1st” and not show up until Friday (though I wouldn’t have expected it to last that long). I will also admit I was very tempted to try and see how far along releasing it I could get, but I think it’s for the best that the app is not listed for sale.
I have been in contact with Valve who have now fixed the vulnerability.
Something I’ve definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have “Review Ready” and “Reviewed” as two states of existence for the content. Instead, maybe take an approach where the review of the item has an audit trail by giving each piece of content a “review ticket” or something similar and not allowing the content to switch to the Released state until there is a review ticket for the content. Or just don’t allow users to set the item to “Released”.
¯\_(ツ)_/¯
Thanks for reading guys!
TL;DR — I was responsible for Watch paint dry. Getting caught was part of my plan. It’s just a prank, bro!
