ashecitism
Member
Update2: He's been unbanned and has partners access again.
Updated OP with Stump's post. See at the bottom.
https://twitter.com/tomasduda/status/478301124257411072
https://twitter.com/tomasduda/status/478301630610571264
https://twitter.com/tomasduda/status/478301717025800192
https://twitter.com/tomasduda/status/478302961001836544
https://twitter.com/tomasduda/status/478303063166693376
http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud
http://www.reddit.com/r/Steam/comments/28980x/developer_of_euro_truck_simulator_2_receives_one/
http://www.reddit.com/r/Steam/comme...f_euro_truck_simulator_2_receives_one/ci8rwaf
On one hand publicly showcasing a potential exploit is a pretty shit thing to do, but on the other hand he said he told Valve several times before yet they didn't do anything.
He works on Euro Truck Simulator 2 btw and said this won't affect the game.
edit:
Stump cleared some things up
Updated OP with Stump's post. See at the bottom.
Jesus fucking Christ, Valve. This for making you finally fix a vulnerability? Seriously?
https://twitter.com/tomasduda/status/478301124257411072
@jwilliamson1121 Just made Valve fix script tags in community announcements after several attempts for that. And this is my reward!
@tomasduda keep it in a private realm if you can, found an XSS in mod names in screenshots, reported and made it private, fixed 2 days later
@damon_gant I wanted to, I talked about this with a Valve guy few months ago. And Harlem Shake thing got a bit viral because it was funny.
@tomasduda Sounds like my other experience with Valve, which got me banned from the old forums after 4 weeks of silence
https://twitter.com/tomasduda/status/478301630610571264
I also lost my Steamworks Partner access.
https://twitter.com/tomasduda/status/478301717025800192
I was talking about the script tag vulnerability multiple times. No one fixed it. Now I did Harlem Shake for fun (yay for #steamdb).
https://twitter.com/tomasduda/status/478302961001836544
Imagine if someone used the vulnerability to steal users' session IDs? Redirected to a phishing site?
https://twitter.com/tomasduda/status/478303063166693376
http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud
Edit: I got banned for this for a year. Also lost access to the Steamworks Partner site too, so can't do anything dev related. Praise Gaben.
Harlem Shake is over, one of the Valve guys is fixing it at the moment.
Short version of what happened: <script> tags were allowed in community announcements. We were talking about weird Steam's HTML parsers in the #steamdb channel, and then Harlem Shake happened. Blame xPaw, Marlamin and Gran PC, of course.
http://www.reddit.com/r/Steam/comments/28980x/developer_of_euro_truck_simulator_2_receives_one/
http://www.reddit.com/r/Steam/comme...f_euro_truck_simulator_2_receives_one/ci8rwaf
Well, I saw on the channel that they were informed "months" ago, and the response was "It's not an attack vector because we trust developers".
We all know that Greenlight does not exist, and no dev account ever has or will be compromised (not looking at you heartbleed), so this stance is perfectly reasonable.
On one hand publicly showcasing a potential exploit is a pretty shit thing to do, but on the other hand he said he told Valve several times before yet they didn't do anything.
He works on Euro Truck Simulator 2 btw and said this won't affect the game.
edit:
Stump cleared some things up
Wow, it's a thread full of people responding about best practices for exploit disclosure when none of them know anything about best practices for exploit disclosure:
He did contact them, they declined to fix it.
This is considered one of several models for the right way to do things in the security community. When a vendor refuses to cooperate on a coordinated disclosure, full disclosure is the model that most security experts favour to prevent weaponized exploitation.
It wasn't a speed issue, they filed it as NOTABUG. In the security community, this typically leads to public disclosure.
Again, this is the right way to do this.
Making an exploit public in a benign form to force a patch before the exploit is weaponized is, in fact, one of the things that occurs in the security community.
This is not an apt metaphor here as stabbing a dog doesn't help you prevent a dog from being killed later. There's no need for metaphors at all. Everyone understands that software has vulnerabilities, and everyone understands there are a variety of industry best practices for disclosure. Filing something as NOTABUG is not an industry best practice for security.
In most cases the controversy with disclosing an exploit is that not only does the vendor need to patch, but sysadmins worldwide need to upgrade their existing software. So typically when you disclose a bug, your proof of concept is running on your own server or is a program that people can run on their own servers. This is a little different because only Valve needs to patch the bug, but we can still walk through the steps. It's also a little different because a user can't independently verify the exploit, since no one can just magically get Steamworks developer privileges.
The standard procedure for coordinated, responsible disclosure is:
- You discover an exploit by probing for an exploit in a benign, safe way, without causing harm
- You contact the vendor
- The vendor and you agree on a timeline for fixing and disclosure (because this is a service-side exploit, disclosure after the exploit is fixed is totally benign)
Typically vendors do not refuse to fix, they drag their heels on the timeline. The biggest controversy in the security community is about what level of heel-dragging is necessary before you move to disclose without a fix. In this case, the vendor refused to fix. As a result, there is no debate. The developer still waited several months, apparently.
The standard procedure for disclosure of an exploit in the absence of a fix is
- Develop a version of the exploit that is able to be shown as a proof of concept without hurting anyone
- Deploy the exploit in as contained a way as you can
- Release the details of the exploit, with the level of specificity you give in your disclosure relative to the impact you think the disclosure will have. In this case, the exploit itself is trivial (as Valve noted, it is apparently by design.) As a result, merely having a proof of concept is enough to convey the exploits to all others.
What the developer did
- Took an old news posting (so that no one would accidentally be clicking it)
- Added an exploit presumably to play the harlem shake song (annoying, but clearly not harmful)
- Disclosed
It's difficult to view a set of circumstances where the developer was being abusive or irresponsible here in the manner of his disclosure, or the timing.