Dev showcases Steam security exploit, gets 1 year comm. ban and loses partner rights

ashecitism

Member
Jun 29, 2013
17,990
22
0
Hungary
Update2: He's been unbanned and has partners access again.

Updated OP with Stump's post. See at the bottom.

Jesus fucking Christ, Valve. This for making you finally fix a vulnerability? Seriously?

https://twitter.com/tomasduda/status/478301124257411072

@jwilliamson1121 Just made Valve fix script tags in community announcements after several attempts for that. And this is my reward!
@tomasduda keep it in a private realm if you can, found an XSS in mod names in screenshots, reported and made it private, fixed 2 days later

@damon_gant I wanted to, I talked about this with a Valve guy few months ago. And Harlem Shake thing got a bit viral because it was funny.

@tomasduda Sounds like my other experience with Valve, which got me banned from the old forums after 4 weeks of silence
https://twitter.com/tomasduda/status/478301630610571264

I also lost my Steamworks Partner access.
https://twitter.com/tomasduda/status/478301717025800192

I was talking about the script tag vulnerability multiple times. No one fixed it. Now I did Harlem Shake for fun (yay for #steamdb).
https://twitter.com/tomasduda/status/478302961001836544

Imagine if someone used the vulnerability to steal users' session IDs? Redirected to a phishing site?
https://twitter.com/tomasduda/status/478303063166693376

http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud

Edit: I got banned for this for a year. Also lost access to the Steamworks Partner site too, so can't do anything dev related. Praise Gaben.

Harlem Shake is over, one of the Valve guys is fixing it at the moment.

Short version of what happened: <script> tags were allowed in community announcements. We were talking about weird Steam's HTML parsers in the #steamdb channel, and then Harlem Shake happened. Blame xPaw, Marlamin and Gran PC, of course.
http://www.reddit.com/r/Steam/comments/28980x/developer_of_euro_truck_simulator_2_receives_one/

http://www.reddit.com/r/Steam/comments/28980x/developer_of_euro_truck_simulator_2_receives_one/ci8rwaf

Well, I saw on the channel that they were informed "months" ago, and the response was "It's not an attack vector because we trust developers".

We all know that Greenlight does not exist, and no dev account ever has or will be compromised (not looking at you heartbleed), so this stance is perfectly reasonable.
On one hand publicly showcasing a potential exploit is a pretty shit thing to do, but on the other hand he said he told Valve several times before yet they didn't do anything.

He works on Euro Truck Simulator 2 btw and said this won't affect the game.

edit:

Stump cleared some things up

Wow, it's a thread full of people responding about best practices for exploit disclosure when none of them know anything about best practices for exploit disclosure:



He did contact them, they declined to fix it.



This is considered one of several models for the right way to do things in the security community. When a vendor refuses to cooperate on a coordinated disclosure, full disclosure is the model that most security experts favour to prevent weaponized exploitation.



It wasn't a speed issue, they filed it as NOTABUG. In the security community, this typically leads to public disclosure.



Again, this is the right way to do this.



Making an exploit public in a benign form to force a patch before the exploit is weaponized is, in fact, one of the things that occurs in the security community.



This is not an apt metaphor here as stabbing a dog doesn't help you prevent a dog from being killed later. There's no need for metaphors at all. Everyone understands that software has vulnerabilities, and everyone understands there are a variety of industry best practices for disclosure. Filing something as NOTABUG is not an industry best practice for security.
In most cases the controversy with disclosing an exploit is that not only does the vendor need to patch, but sysadmins worldwide need to upgrade their existing software. So typically when you disclose a bug, your proof of concept is running on your own server or is a program that people can run on their own servers. This is a little different because only Valve needs to patch the bug, but we can still walk through the steps. It's also a little different because a user can't independently verify the exploit, since no one can just magically get Steamworks developer privileges.

The standard procedure for coordinated, responsible disclosure is:
- You discover an exploit by probing for an exploit in a benign, safe way, without causing harm
- You contact the vendor
- The vendor and you agree on a timeline for fixing and disclosure (because this is a service-side exploit, disclosure after the exploit is fixed is totally benign)

Typically vendors do not refuse to fix, they drag their heels on the timeline. The biggest controversy in the security community is about what level of heel-dragging is necessary before you move to disclose without a fix. In this case, the vendor refused to fix. As a result, there is no debate. The developer still waited several months, apparently.

The standard procedure for disclosure of an exploit in the absence of a fix is
- Develop a version of the exploit that is able to be shown as a proof of concept without hurting anyone
- Deploy the exploit in as contained a way as you can
- Release the details of the exploit, with the level of specificity you give in your disclosure relative to the impact you think the disclosure will have. In this case, the exploit itself is trivial (as Valve noted, it is apparently by design.) As a result, merely having a proof of concept is enough to convey the exploits to all others.

What the developer did
- Took an old news posting (so that no one would accidentally be clicking it)
- Added an exploit presumably to play the harlem shake song (annoying, but clearly not harmful)
- Disclosed

It's difficult to view a set of circumstances where the developer was being abusive or irresponsible here in the manner of his disclosure, or the timing.
 

Tesseract

Crushed by Thanos
Dec 7, 2008
32,031
3,312
1,100
i'm banned bee-otch, honk honk!

stay private, stay cool, stay safe

#valve
 

Garrett Hawke

Member
Jan 24, 2014
24,345
0
430
inb4 "Praise Gaben. I'm sure he had a perfectly good reason to do this."
That really sucks for that guy though. Like yeah it was shit to expose the flaw publicly but I feel like when companies refuse to fix stuff, forcing their hand like this is the only way.
 

Kade

Member
Jul 23, 2006
12,542
0
1,100
Canada
Why didn't he just email them and tell them about the exploit? What does he mean by "I was talking about the script tag vulnerability multiple times"? Directly to Valve or in general?
 
Jan 1, 2009
13,315
2
0
Hmmm it's not cleared how he showcased it. Did he do it privately?

Valve is so backwards with this. Google literally pays people for showing them exploits and helping them patch Chrome and Android.
 

HariKari

Member
Jun 28, 2013
7,278
0
0
If they're not going to fix it, he did the right thing. Saved them from their own idiotic decision to not address it.
 

chuckddd

Fear of a GAF Planet
Apr 24, 2008
31,546
0
0
There's a right way to do things and a wrong way to do things. When you can't tell the difference, you pay the price.
 

jem0208

Member
Jul 17, 2013
11,386
0
395
There's a right way to do things and a wrong way to do things. When you can't tell the difference, you pay the price.
Sounds like the "right" way failed with Valve so he resorted to doing it the "wrong" way to force them to deal with the problem.
 

Tagyhag

Member
Aug 21, 2013
17,883
0
0
Los Angeles
inb4 "Praise Gaben. I'm sure he had a perfectly good reason to do this."
That really sucks for that guy though. Like yeah it was shit to expose the flaw publicly but I feel like when companies refuse to fix stuff, forcing their hand like this is the only way.
To be honest, I wouldn't have exposed it publicly. Because if Valve didn't fix it and something wrong happened, the full blame would be on them. So, he did the right thing, but he shouldn't have had to in the first place.

Sucks for the guy, he only wanted to help.
 

chrominance

Member
May 24, 2013
9,370
1
0
I'm not totally sure how you do a private proof of concept for something like this unless you get Valve involved (can you have private communities, even?), so if Valve really wasn't moving on this at all I can see why public disclosure would've been the only option available. Obviously we just have this guy's word against Valve's word (aka nothing except the ban) but so far the guy's story seems legit. If he wasn't on the up and up, why bother wasting the exploit on a silly meme post?
 

Foffy

Banned
May 14, 2009
22,559
1
0
And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.
Clearly his "entitled ass" wanted to help them address a security exploit. I'm sure those things should be taken care of when they're known, which apparently Valve failed to do on their own.
 

DaBuddaDa

Member
Sep 12, 2004
10,804
0
1,290
Clearly his "entitled ass" wanted to help them address a security exploit. I'm sure those things should be taken care of when they're known, which apparently Valve failed to do on their own.
Maybe they felt the exploit wasn't severe enough to have to address immediately? Who is he to dictate to the full time developers of Steam what to prioritize and when to fix things? Maybe Steam developers know of fifty other security holes they are trying to fix first?

Like someone else said, there is a right way and a wrong way going about this, and this is absolutely not the right way.
 

Archaix

Drunky McMurder
Jun 6, 2004
19,614
0
0
And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.


An entitled ass? "Entitled"? You fucking moron. He was trying to get them to fix a possible exploit and they didn't do shit because nobody at Valve felt like doing it that particular week so it got shoved to the customer service pile of "Eh, fuck it".
 

Dolor

Member
Jun 17, 2013
1,996
0
0
Katy, TX
steamcommunity.com
Maybe they felt the exploit wasn't severe enough to have to address immediately? Who is he to dictate to the full time developers of Steam what to prioritize and when to fix things? Maybe Steam developers know of fifty other security holes they are trying to fix first?

Like someone else said, there is a right way and a wrong way going about this, and this is absolutely not the right way.
Tend to agree with this. Making it public makes everyone's stuff less secure and can make the work that has to be rushed worse.
 

ZeroX03

Member
Oct 23, 2009
27,340
0
620
Australia/New Zealand
Valve is so backwards with this. Google literally pays people for showing them exploits and helping them patch Chrome and Android.
Didn't Google have a situation where they refused to listen to someone telling them about an exploit, so he exploited it to show them, then they acknowledged it and refused to pay him?

EDIT: Nope, it was Facebook. Dude posted the exploit on Zuck's page.
 

Xpliskin

Member
May 22, 2009
4,232
0
0
Europe
Didn't he break the TOS when he showcased it and used it for the harlem shake ?

Warning about an exploit is one thing but making it public and actually using it is another imo, regardless of reasons.
 

Kade

Member
Jul 23, 2006
12,542
0
1,100
Canada
It's shitty on Valve's part that they didn't fix it but you don't need to stab a dog to prove that it bleeds. Regardless of your intent, you just stabbed a damn dog.
 

Dead Man

Member
Aug 24, 2007
54,266
0
0
I'm leaning more toward this:
Sounds like the "right" way failed with Valve so he resorted to doing it the "wrong" way to force them to deal with the problem.
Than this:
And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.
Since I'm not sure where entitlement comes into it other than your head.
 

ashecitism

Member
Jun 29, 2013
17,990
22
0
Hungary

BronsonLee

Member
Oct 30, 2011
50,963
2
0
Eh, this is a murky one. This is kind of like when hackers showcase an exploit publicly: It's almost always to force companies to fix it more than anything. I remember this came up with ATMs and pacemakers a few years ago.

But yeah, he should've known going public would've had some consequence. They weren't just going to let it slide
 

Seiru

Banned
Jun 19, 2004
1,123
0
0
Valve leaves a serious security exploit unfixed for months, and people are blaming a developer for making it public? Do you guys like getting your personal info stolen or something?

This is what you do when you find an exploit. First you inform the owner of the platform/website in private (which this developer did). Then, if they don't fix it in a timely manner, you inform everybody. This lets users protect themselves by avoiding the exploit, and forces the owner of the platform to fix their shit. The idea is that if you can find the exploit, somebody else with more sinister intentions certainly can (and they won't inform the owner in private).

This is basic stuff, people.
 

yamo

Member
Dec 24, 2007
2,151
0
0
Valve just cancelled Half-Life 3 and put all resources to bug fixing instead. Thanks!
 

King Gilga

Member
Sep 1, 2013
6,710
1
385
Dick move by valve.

Not surprised though, in my couple times of dealing with them, they have the worst customer service in the industry, and that's ignoring that week long wait times between responses.
 

Dr Amazon MD

Member
Nov 8, 2013
1,028
0
0
Michigan
An entitled ass? "Entitled"? You fucking moron. He was trying to get them to fix a possible exploit and they didn't do shit because nobody at Valve felt like doing it that particular week so it got shoved to the customer service pile of "Eh, fuck it".
Calm down buddy it's just a post. And we're only hearing one side of the story here. No one's sure this guy is Robin Hood.
 

KarmaCow

Member
Sep 13, 2009
15,015
0
0
Valve needs to get its act together being the stewards of Steam. It's not a self sustaining entity yet and now is the critical time if they plan on transitioning to that.
 

Currygan

at last, for christ's sake
Jul 7, 2012
34,742
0
0
London, England
shite move by Valve, which I understand has a terribad track record with dealing with this stuff, but as Nicholas Angel said, the law's the law
 

Not Spaceghost

Spaceghost
Jan 16, 2009
12,258
1
845
Space
He did the right thing, if you can insert scripts like that and some one else found out before they "got around to it" it could have been absolutely devastating. Forcing them to do it was definitely the right move.

However, he should totally have expected this ban incoming for the way he handled it. Valve may have gone a bit over board though.
 

Stumpokapow

listen to the mad man
May 21, 2006
17,232
3
0
Wow, it's a thread full of people responding about best practices for exploit disclosure when none of them know anything about best practices for exploit disclosure:

Why didn't he just email them and tell them about the exploit? What does he mean by "I was talking about the script tag vulnerability multiple times"? Directly to Valve or in general?
He did contact them, they declined to fix it.

There's a right way to do things and a wrong way to do things. When you can't tell the difference, you pay the price.
This is considered one of several models for the right way to do things in the security community. When a vendor refuses to cooperate on a coordinated disclosure, full disclosure is the model that most security experts favour to prevent weaponized exploitation.

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.
It wasn't a speed issue, they filed it as NOTABUG. In the security community, this typically leads to public disclosure.

Maybe they felt the exploit wasn't severe enough to have to address immediately? Who is he to dictate to the full time developers of Steam what to prioritize and when to fix things? Maybe Steam developers know of fifty other security holes they are trying to fix first?

Like someone else said, there is a right way and a wrong way going about this, and this is absolutely not the right way.
Again, this is the right way to do this.

Warning about an exploit is one thing but making it public and actually using it is another imo, regardless of reasons.
Making an exploit public in a benign form to force a patch before the exploit is weaponized is, in fact, one of the things that occurs in the security community.

It's shitty on Valve's part that they didn't fix it but you don't need to stab a dog to prove that it bleeds. Regardless of your intent, you just stabbed a damn dog.
This is not an apt metaphor here as stabbing a dog doesn't help you prevent a dog from being killed later. There's no need for metaphors at all. Everyone understands that software has vulnerabilities, and everyone understands there are a variety of industry best practices for disclosure. Filing something as NOTABUG is not an industry best practice for security.
 

wildfire

Banned
Jun 5, 2011
15,915
0
0
Valve leaves a serious security exploit unfixed for months, and people are blaming a developer for making it public? Do you guys like getting your personal info stolen or something?

This is what you do when you find an exploit. First you inform the owner of the platform/website in private (which this developer did). Then, if they don't fix it in a timely manner, you inform everybody. This lets users protect themselves by avoiding the exploit, and forces the owner of the platform to fix their shit. The idea is that if you can find the exploit, somebody else with more sinister intentions certainly can (and they won't inform the owner in private).

This is basic stuff, people.

Most people, let alone gamers, aren't aware of how the software development community does things which makes Valves response all the more surprising and flagrant.
 
Feb 15, 2006
10,024
15
0
Eh, this is a murky one. This is kind of like when hackers showcase an exploit publicly: It's almost always to force companies to fix it more than anything. I remember this came up with ATMs and pacemakers a few years ago.

But yeah, he should've known going public would've had some consequence. They weren't just going to let it slide
This.
 

nephilimdj

Member
Jan 31, 2011
5,828
53
500
Straya
You think news like this will just lead to people looking for more holes.

It really is bad for valve, to think if they worded their reply differently. His trust would of been much larger.
 

BronsonLee

Member
Oct 30, 2011
50,963
2
0
I don't wanna quote all of Stump's stuff there, but yeah, this is the general roadmap for this sort of stuff.

Someone finds bug
Reports bug to company
A: Company fixes it/promises to/gives timetable for fix/whatever
B: Company ignores/marks as notabug (what happened here)

If B happens, going public is usually the next thing. There are usually some minor consequences for it (like this), but most people kind of know the deal by now and accept that, if it means it gets fixed.
 

Stumpokapow

listen to the mad man
May 21, 2006
17,232
3
0
You think news like this will just lead to people looking for more holes.
People should be looking for holes. Bad guys are always looking for holes. Good guys looking for holes leads to more public awareness and more chances that holes are fixed before the exploits result in severe harm.
 

Rapstah

Member
Jul 20, 2009
13,184
0
0
What's a "community message"? Which developer accounts are allowed to post them? All of them? Does every game have a "community" section? Depending on a lot of things, ignoring the "exploit" of allowing Javascript in their HTML parser for "community messages" can make all kinds of sense or be the worst thing ever.

Corporations really hate it when you do what this guy did though. Could have told other developers about it and have them complain to Valve too instead if they found it serious enough. The dude certainly finds the issue serious enough.