This is a pretty cool exploit, and of course reinforces one of the most important rules of writing software. Don't trust users.
The center of what this kid pulled off to get his game on the front page with no Valve oversight basically amounted to fiddling around with an HTML form data and feeding the back end illegal state information.
The fact that the back end's business logic layer didn't verify and authorize the request is hugely troubling from a big service like steam. What other dragons are lurking in there to exploit? Could I take ownership of someone else's game on the store? Get myself some free games by generating reviewer steam keys? All sorts of interesting activity is possible.
>"The fact that the back end's business logic layer didn't verify and authorize the request is hugely troubling from a big service like steam. What other dragons are lurking in there to exploit? Could I take ownership of someone else's game on the store? Get myself some free games by generating reviewer steam keys? All sorts of interesting activity is possible."
This feels to me like saying "I can just walk into a big box store, take something off the shelf and walk out".
Yes, you can. And people do. And yet, outside of extreme circumstances there isn't much these stores do to stop you. Loss prevention is a leaky sieve and can cost more than the loss did.
Heck just steal the steam key from a boxed set in a store. The key itself doesn't have protection. Take a picture of it. Whatever.
Stealing isn't hard, but still we don't do too much of it...
> "I can just walk into a big box store, take something off the shelf and walk out"
Data security is where our intuition formed from real-world experience falls down.
Physical theft in a store is bounded by many factors, not the least of which is someone actually has to carry out the goods without being intercepted. Stores deploy additional security mechanisms to alert on high-value merchandise that is small enough to easily conceal. So stores' losses are bounded by the impracticality of "scaling up" the theft attack.
But digital systems are absurdly brittle. Most systems lack defense in depth and computers are just as good at scaling up the attacker's transactions as the legitimate ones. So once the attacker invalidates even the smallest-seeming assumption made by the developers it tends to lead to complete compromise of the system.
So when you hear "random web developer made the common mistake of relying on client side validation" it's kinda like finding a leak in your submarine's hull.
>"Data security is where our intuition formed from real-world experience falls down.
Very sad to see the closed-mindedness in this thread where users reject a very valid and apt comparison because it does not meet their preconceived notion of these models.
Ironically the only factor that "knocks down" our intuition is you, when you reject points without considering them. You knocked down my valid point not fairly, but unfairly, waiving it away without consideration.
>"Physical theft in a store is bounded by many factors, not the least of which is someone actually has to carry out the goods without being intercepted. Stores deploy additional security mechanisms to alert on high-value merchandise that is small enough to easily conceal. So stores' losses are bounded by the impracticality of "scaling up" the theft attack."
Very very sad that you cannot see the obvious and basic similarities.
Do you believe it is as simple to steal 1TB of data as it is 1MB? --- So you agree there are obvious "bounds" to digital that mirror real world?
How about content type? Do you think it's easier to steal data replicated on their general purpose CDN than say account data hosted internally at one of their data centers?
Do you believe that online services don't deploy additional security mechanisms on high-value data?
Do you not realize that digital data losses are bounded by the impracticality of stealing large amounts of data, too?
I hope that users reading this thread will read + think more than they reject + talk because it's very depressing seeing this response here.
And the fact that warehouses are robbed, eighteen wheelers are robbed, trains are robbed, etc shows that it is indeed practical to steal literal tons of goods.
Practical and common, however, are not the same...
(I'll also point out that in my comment I said: is it the same difficulty to steal 1TB as 1MB? I never said it was impossible, just drawing a distinction).
The point here is that this should be more technically difficult to do, or some human should be involved. It looks like one of the root causes is that the server-side validation isn't comprehensive enough. That part should be fairly easy to fix.
The problem here is not so much someone stealing stuff or making money I think (e.g. if a rogue company puts it's game for sale without approval, after Valve finds out they're going to get sued and probably have to return all earnings); the problem is anonymous vandalism. If the system is really bad some people can wreak havoc stealing sensitive data, unduly charging people for games, polluting the front page with fake games, subtly undermining competitor games, etc.
Stealing one thing from the store isn't hard, but the nature of vulnerabilities like this one means there isn't much additional technical challenge going from stealing one thing once to stealing everything a million times. To continue your store analogy, imagine if it's just as easy to make an army of robots that steal everything as it is to steal one thing personally.
Wait. So... making executable code available to hundreds of millions of users on a storefront they trust just takes sending a forged HTTP request?
No cryptographic signing process? No automated software analysis and sandboxing? What the hell was Valve thinking? Watching paint dry is pretty much the best case outcome for something like this. It could well have been Mass Effect 3 on Steam for $5, yet the actual code being ransomware...
I wouldn't call it proper QA, when they release something like Batman: Arkham Knight which was horribly buggy. GOG wouldn't have accepted such version.
We merged a comment into here from one of the gazillion previous posts of this thread; if anyone knows of any other good comments we can do the same for them.
It's because of HN's weird duplicate link policy. The way I understand it, When someone resubmits a link, and the second resubmission gets more traction than the original, then the comments/points of the resubmission are transferred to the original submission and the original submission's "timestamp" is set to the resubmission's timestamp. The modified timestamp is used in rank calculations (post rank decays based on age, so a newer timestamp means a lower decay penalty). The HN search site shows the true timestamp, which is why on this story you see a mismatch.
Another way to see this is by the looking at the post ID. The post before this one is 11445139 https://news.ycombinator.com/item?id=11445139 (posted 1 day ago), the post after this one is 11445141 https://news.ycombinator.com/item?id=11445141 (posted 1 day ago), but this post is 11445140 (posted 4 hours ago). By deduction, the original post was submitted 1 day ago sometime in-between the other two.
Basically the system gives credit to the original submission vs the resubmission. It does look like a bug, and I think it is quite confusing, IMO there should be a FAQ somewhere explaining how duplicates work.
I don't see why I am being down-voted. This person is admitting to an illegal act. Valve does not have a bug bounty program which means this person had no justification to do this legally.
The center of what this kid pulled off to get his game on the front page with no Valve oversight basically amounted to fiddling around with an HTML form data and feeding the back end illegal state information.
The fact that the back end's business logic layer didn't verify and authorize the request is hugely troubling from a big service like steam. What other dragons are lurking in there to exploit? Could I take ownership of someone else's game on the store? Get myself some free games by generating reviewer steam keys? All sorts of interesting activity is possible.