If you find an exploit, shouldn't you get in touch with Valve's developers directly, instead of publicly showing how the exploit works and thereby violating the Steam ToS?
Just saying ...
Comment has been collapsed.
LOng story short, there was an exploit on Steam which allowed the use of <script> tags in announcements and Timmy saw that as a big security flaw and how it could be misused for nefarious purposes. He mailed Valve and warned them multiple times about it and their response was something along the lines of "we are aware of it but we trust devs to no abuse it so everything will be fine"
So last night he edited his old announcement and made the whole page do the harlem shake, with audio and shaking letters and everything (i'm not kidding). Now after few months or even more of allowing that exploit, Valve immediatelly fixed it and gives him a year long community ban and revoked his Steamworks partner access
Comment has been collapsed.
Linky for steam harlem shake
Haha omfg. Quite funny.
Comment has been collapsed.
IMO he was dumb to bother about it anyway. It wasn't HIS thing to fix how Steam works anyway. If Steam staff thought it didn't have any dangers to their platform, I don't know why a game dev would bother to put his nose where it doesn't belong.
Comment has been collapsed.
If Steam staff thought it didn't have any dangers to their platform, I don't know why a game dev would bother to put his nose where it doesn't belong
LOL
"It permitted running arbitrary JavaScript within the page. Considering there are cookies involved in the authentication, a malevolent script could likely steal session information or maybe even login data. In general, running JavaScript within a secured session (SSL) is about the worst that can happen for a site with login security.
Timmy showcased this by running some Harlem Shake script (nuisance only - not malevolent otherwise) in an older announcement after Valve did nothing in respect to resolve the hole.
So yeah, anyone permitted to post community announcements was able to run scripts within your browser session. Now, somebody who obtained such access by for example breaching a Steamworks partner's login information - you know just the way it happened a few months ago when Valve's servers were hit by Heartbleed exploits could in theory sniff login information of Steam users"
Yeah no dangers at all except maybe sniffing out your session ID or redirect you to a phishing site
Comment has been collapsed.
So, if someone finds out there's a fault with a car/plane but the manufacturer says's there's nothing wrong with it he should just shut up and do nothing?
Oh, wait a minute, isn't GM in the news a lot lately? Hmm, if only someone had gone public earlier ...
Comment has been collapsed.
Dev abuses a security flaw, publicly ridicules Valve, wonders why he's now banned. Sounds legit.
Comment has been collapsed.
^ sounds stupid because Valve support permitted to use that script
Comment has been collapsed.
Yes and? They said they knew it was a flaw but trusted devs.
Just because Valve acknowledges it and says it trusts devs, does not mean it is not a security flaw. They trusted devs in spite of it being a flaw. English comprehension fail.
Comment has been collapsed.
And if a Steamworks Partner's login info is compromised? Always better to patch holes than ignore them.
Comment has been collapsed.
What if someone manages to steal cookies (that include steam guard data)?
It's not like it hasn't happend before.
Comment has been collapsed.
...so I guess this means ATS is delayed for a year? ;P
Comment has been collapsed.
Yeah, Steam tends to like banning people for stupid reasons. Oh well.
Comment has been collapsed.
Are there screens / footage? I am CURIOUUUS. Yees.
Comment has been collapsed.
Comment has been collapsed.
Well, google bans forever, at least VALVE bans for 52 weeks
Comment has been collapsed.
http://en.wikipedia.org/wiki/Responsible_disclosure <<<
He says that he "...talked about this with a Valve guy few months ago," but that could mean anything. Unless he gives more information about his communication, I don't see how it isn't deserved (though it might not be; as of now I don't know what he did).
Regardless, he's an idiot to post it on an account with such such publicity. Doing things like this are what alts are for.
Comment has been collapsed.
We need to sigh some petition to help this guy out! The whole story makes Valve a bunch of morons
Comment has been collapsed.
76 Comments - Last post 1 hour ago by Reidor
765 Comments - Last post 3 hours ago by grimfandango8888
0 Comments - Created 3 hours ago by PaganFears
43 Comments - Last post 4 hours ago by Qnemes
70 Comments - Last post 4 hours ago by orono
12 Comments - Last post 4 hours ago by orono
17 Comments - Last post 5 hours ago by SeaGoblin
133 Comments - Last post 4 minutes ago by cheeki7
2,168 Comments - Last post 4 minutes ago by SirSage
536 Comments - Last post 5 minutes ago by cheeki7
73 Comments - Last post 18 minutes ago by Zarddin
417 Comments - Last post 22 minutes ago by Momo1991
2 Comments - Last post 23 minutes ago by antidaz
1 Comments - Last post 29 minutes ago by Taizun
Apparently the dev used <script> tags to put the Harlem Shake in an Announcement. The dev did it to try to bring attention to the fact <script> tags can be abused. The problem has been around for a while i hear.
Now the dev is banned from steam AND the partner site for a whole year. Link to tweet from dev. I think it is a overreaction from steam imo.
Comment has been collapsed.