[pfooti]

This is a pretty cool exploit, and of course reinforces one of the most important rules of writing software. Don't trust users.

The center of what this kid pulled off to get his game on the front page with no Valve oversight basically amounted to fiddling around with an HTML form data and feeding the back end illegal state information.

The fact that the back end's business logic layer didn't verify and authorize the request is hugely troubling from a big service like steam. What other dragons are lurking in there to exploit? Could I take ownership of someone else's game on the store? Get myself some free games by generating reviewer steam keys? All sorts of interesting activity is possible.

[criley2]

>"The fact that the back end's business logic layer didn't verify and authorize the request is hugely troubling from a big service like steam. What other dragons are lurking in there to exploit? Could I take ownership of someone else's game on the store? Get myself some free games by generating reviewer steam keys? All sorts of interesting activity is possible."

This feels to me like saying "I can just walk into a big box store, take something off the shelf and walk out".

Yes, you can. And people do. And yet, outside of extreme circumstances there isn't much these stores do to stop you. Loss prevention is a leaky sieve and can cost more than the loss did.

Heck just steal the steam key from a boxed set in a store. The key itself doesn't have protection. Take a picture of it. Whatever.

Stealing isn't hard, but still we don't do too much of it...

[marshray]

> "I can just walk into a big box store, take something off the shelf and walk out"

Data security is where our intuition formed from real-world experience falls down.

Physical theft in a store is bounded by many factors, not the least of which is someone actually has to carry out the goods without being intercepted. Stores deploy additional security mechanisms to alert on high-value merchandise that is small enough to easily conceal. So stores' losses are bounded by the impracticality of "scaling up" the theft attack.

But digital systems are absurdly brittle. Most systems lack defense in depth and computers are just as good at scaling up the attacker's transactions as the legitimate ones. So once the attacker invalidates even the smallest-seeming assumption made by the developers it tends to lead to complete compromise of the system.

So when you hear "random web developer made the common mistake of relying on client side validation" it's kinda like finding a leak in your submarine's hull.

[criley2]

>"Data security is where our intuition formed from real-world experience falls down.

Very sad to see the closed-mindedness in this thread where users reject a very valid and apt comparison because it does not meet their preconceived notion of these models.

Ironically the only factor that "knocks down" our intuition is you, when you reject points without considering them. You knocked down my valid point not fairly, but unfairly, waiving it away without consideration.

>"Physical theft in a store is bounded by many factors, not the least of which is someone actually has to carry out the goods without being intercepted. Stores deploy additional security mechanisms to alert on high-value merchandise that is small enough to easily conceal. So stores' losses are bounded by the impracticality of "scaling up" the theft attack."

Very very sad that you cannot see the obvious and basic similarities.

Do you believe it is as simple to steal 1TB of data as it is 1MB? --- So you agree there are obvious "bounds" to digital that mirror real world?

How about content type? Do you think it's easier to steal data replicated on their general purpose CDN than say account data hosted internally at one of their data centers?

Do you believe that online services don't deploy additional security mechanisms on high-value data?

Do you not realize that digital data losses are bounded by the impracticality of stealing large amounts of data, too?

I hope that users reading this thread will read + think more than they reject + talk because it's very depressing seeing this response here.

[marshray]

The recent 'Panama Papers' leak shows that it is indeed practical to steal 2.6 TB of data.

[criley2]

And the fact that warehouses are robbed, eighteen wheelers are robbed, trains are robbed, etc shows that it is indeed practical to steal literal tons of goods.

Practical and common, however, are not the same...

(I'll also point out that in my comment I said: is it the same difficulty to steal 1TB as 1MB? I never said it was impossible, just drawing a distinction).

[marshray]

"Sony Hackers Have Over 100 Terabytes Of Documents." https://en.wikipedia.org/wiki/Data_breach#cite_ref-17

[seanp2k2]

The point here is that this should be more technically difficult to do, or some human should be involved. It looks like one of the root causes is that the server-side validation isn't comprehensive enough. That part should be fairly easy to fix.

[johansch]

You are using way too many words to say "the emperor has no clothes".

:)

[darkmighty]

The problem here is not so much someone stealing stuff or making money I think (e.g. if a rogue company puts it's game for sale without approval, after Valve finds out they're going to get sued and probably have to return all earnings); the problem is anonymous vandalism. If the system is really bad some people can wreak havoc stealing sensitive data, unduly charging people for games, polluting the front page with fake games, subtly undermining competitor games, etc.

[criley2]

Because a masked person (anonymous vandal) has never vandalized something in the real world.

[bitteralmond]

Stealing one thing from the store isn't hard, but the nature of vulnerabilities like this one means there isn't much additional technical challenge going from stealing one thing once to stealing everything a million times. To continue your store analogy, imagine if it's just as easy to make an army of robots that steal everything as it is to steal one thing personally.