back to article Teen tricks leaky Valve into publishing hot new Steam game: Watching Paint Dry

A 16-year-old lad in Manchester, England, exploited flaws in Valve's developer site to publish on Steam an unapproved game about watching paint dry. Ruby Nealon, a computer science student at Salford uni, said a set of programming blunders in the Steamworks website let him sneak his Watch Paint Dry roleplaying game past Valve' …

  1. m0rt

    Bright lad.

    Together with Java Smith and A. Sembly he can form a White hat team that fights the evils of the 'dark net' and corrupt companies. Call themselves the Whizz Kids. Hey, sounds like a budding new series...

    Oh, wait...

    Damn my age.

    1. NoneSuch Silver badge
      Big Brother

      This is the sort of thing the FBI love to threaten twenty year felony sentences over. Make an American company face their security flaws through creative script manipulation? He'll be on the no-fly list by tea time.

      1. User4574

        Isn't that standard business practice? Brand someone that embarrasses your company by exposing critical security holes "a dirty rotten hacker" and throw the book at them.

        It worked for AT&T (weev) and Sony (geohotz) after all. There is certainly no shortage of white-knight commentards to defend this either.

  2. Anonymous Coward
    Anonymous Coward

    Movie Tie In?

    Was this the game conversion of the wonderful movie?

    1. Anonymous Coward
      Anonymous Coward

      Re: Movie Tie In?

      Tie in - or blatant attempt to piggy back on that films reputation. I assume the "cease and desist" order will be on its way pronto!

    2. Mike 16 Silver badge

      Re: Movie Tie In?

      I would hope not. Games based on movies are generally pretty crap (as are movies based on games, come to think of it).

  3. Anonymous Coward
    Anonymous Coward

    Sure beats...

    ...waiting for Half life 3. Much more exciting, this.

    1. JonP

      Re: Sure beats...

      "Waiting for Half life 3"

      Heh, that could be some DLC for "Watching Paint Dry", for those into extreme waiting...

      (9 years...any day now then...)

    2. Smallbrainfield

      Re: Sure beats...

      I read another article (on Kotaku) about this chap today. Apparently he very nearly called his "game" Half Life 3...

      1. Anonymous Coward
        Anonymous Coward

        Re: Sure beats...

        Really wish he had. :)

  4. J. R. Hartley


    Love stories like that. How wonderfully British haha.

  5. Pascal Monett Silver badge

    A bit miffed about the whole "ignored the warnings" part

    I thought Valve was better than that. I am disappointed that someone had to go and actually perform the hijack in order to get Valve to move on it.

    That was a serious bug. Valve can be happy that the guy didn't post something truly disgusting or horrifying, or simply malware. Chances are, if some true scum had found out, Valve would be publishing meek excuses for having riddled x thousands of gamer's PCs with the latest-harddisk encrypting malware. Methinks that would have been a much worse thing, and this guy alerted them to exactly that fact.

    When someone is nice enough to alert you to a problem that serious, you get fixing the issue, you don't ignore it. Shame on you, Valve.

    1. Anonymous Coward
      Anonymous Coward

      Re: A bit miffed about the whole "ignored the warnings" part

      Down vote for 'Methinks'.

      What is this, the 16th century?

      1. Charlie Clark Silver badge

        Re: A bit miffed about the whole "ignored the warnings" part

        What is this, the 16th century?

        Going by Valve's approach to coding it could well be.

      2. e^iπ+1=0

        Down vote for 'Methinks'.

        Uh, but you did not yet down vote the "methinks" post as it's currently showing 0 down votes.

        Methinks you forgot to vote!

      3. PNGuinn

        Down vote for 'Methinks'

        "What is this, the 16th century?"

        No, that was tomorrow.

        Do Keep up.

  6. wolfetone Silver badge

    Valve Review Games?

    If anyone here watches Nerd3 channel on YouTube, then we all know that this is bullshit.

    If you haven't, search for a game called Air Control. Utter tosh, and "This game costs real money".

    1. Anonymous Coward
      Anonymous Coward

      Steam vetting is non-existent...

      Early Access, Steam Green-Light.. Screening programs that excel at rubber stamping crud! Valve realize this, that's why they planned to retire the system a year ago. So WTF happened no reform??? Meantime, Steam users continue to green light games like mindless zombies! Classic examples: Steam Greenlight: Gabe Newell Simulator - and - Early Access: Mountains of Madness.

      1. Steven Raith

        Re: Steam vetting is non-existent...

        Jim Sterling also covers these in his sarcasticallly titled 'Best of Steam Greenlight Trailers', although I suspect he's a tad more vitriolic in his coverage.

        Also, a lot of his first impressions gameplay.

        He's currently being sued by a company called Digital Homocide for slander after he pointed out their games are nothing but asset flips (IE buying asset packs, throwing them together and claiming it's an original game) which gives you an idea of how backwards some of these 'game devs' are.

        Steam is (generally) a good platform, but there's some real problems with it these days.

        Steven R

      2. Captain Scarlet Silver badge

        Re: Steam vetting is non-existent...

        Gabe Newell Simulator, the only thing I liked about that was the cards were worth more than the actual game (Earned 50p more than what it was worth and it was a troll purchase from one of my friends who I then brought Shower with your Dad Simulator).

        Anyway Valve, kill them all with fire!

  7. Winkypop Silver badge

    Ruby off the rails

    Well done that geek.

    Not quite old enough to drink*, so I'll have his.

    * who am I kidding, he's from Manchester...

    1. John70

      Re: Ruby off the rails

      He's in Uni... So probably already had a few

    2. Charlie Clark Silver badge

      Re: Ruby off the rails

      Well, he's technically from Salford on the other side of the River Irwell. Mind you, that's the place where Grand Theft Auto isn't just a game…

  8. Peter 26


    I like that he linked two different areas to get the desired effect of a session id linked to a different user. He obviously had a lot of fun thinking, how far can I take this? Watching paint dry game... genius.

  9. Kelli

    There are/were fun lawnmower games, I played this one for hours!

    1. Crisp
      1. mythicalduck

        Re: The original was better

        Original? In 1988? Wrong...

        (I acknowledge that there might even be one prior to Hover Bovver, but I don't know it)

        1. gerdesj Silver badge

          Re: The original was better

          "Hover Bovver" - thanks a lot. I now have a SID chip bleeping out the music in my ear and a spritely dog whizzing around my mind.

  10. Duffy Moon

    Android Version

    Not by the same author, but for those craving paint-drying thrills:

  11. allthecoolshortnamesweretaken

    This kid is going places, brilliant!

    And I totally would pay to play 'Watching Paint Dry'. For a reasonable price. And when I'm drunk. But still...

    1. Michael Wojcik Silver badge

      Eh, WPD wasn't that great. The old Nintendo game Watching the Pixels Remain the Same Color had a better story (and who can forget that haunting music?).

      WPD's final boss was pretty tough, though. Really had me painted into a corner.

  12. Anonymous Coward
    Anonymous Coward

    More of a game than slaughtering grounds

  13. Anonymous Coward
    Anonymous Coward

    Lesson learnt

    "Something I've definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have 'Review Ready' and 'Reviewed' as two states of existence for the content," said Nealon

    That's not the lesson to be learnt. The lesson is never, ever accept any response that comes from a user without first assuming it hasn't been completely buggered with. This especially goes for HTML forms or HTTP streams that are comically easy to modify. If your response is trusting something like an ID to be passed back to you untouched (instead of using tokens or something similar where you retain session scope on your box) then your design is completely broken...

    There was nothing wrong with having two states for "ready" and "reviewed" and likewise the suggested solution of an audit trail wouldn't have stopped the core problem which was not validating the info coming back from the interface.

  14. Scaffa
    Thumb Up

    Congratulations to young master Ruby Nealon!

    I imagine this won't be the last time we hear the name.

  15. Doctor_Wibble

    Not magnolia? Seriously?!?!?

    Those screenshots look like dirty beige! I do hope that's a display error, otherwise it would be an utter disgrace because it should have been the one and only magnolia, the colour of the universe!

  16. wsm


    It was the only game I could play without getting killed in the first level.

  17. Pseudonymous Diehard

    They arent the most

    Boring games inexistence. The El Reg comments section is.

    I waste time crafting rubbish comments to gain XP (upvotes) but theres no skill system to use the XP in.

    I came here to create a high level ice mage and to grind out some loot slaying noobs, but ive since discovered the loot drops here are worse than Diablo 3 and the only class you can choose is "Anonymous Coward". What a let down.

    Shittiest game of multiplayer Gedit ive ever played.

    1. PNGuinn

      Re: They arent the most

      You still on XP??

      That's your problem then. Everyone knows El Reg is a 'NIX shop.

  18. asdf

    The ultimate showdown (for someone else you hate)

    Desert Bus vs Big Rigs Over the Road Racing.

  19. Duffaboy
    Thumb Up

    Valve should show their thanks

    Hire the Kid or give him free content.

  20. Anonymous Coward
    Anonymous Coward

    Not read all of the details, but it sounds like an "overposting" attack*, if thats the case then there must have been a series of very poor design decisions made when that site was being put together.

    Bind the views directly to the model. Check

    Allow model binding to reconstruct the model based solely on the data coming back from the view. Check

    Pass the reconstructed model directly to the DAL for persistence in the database without checking it. Check

    The golden rule "Never trust user input" seems to have been forgotten by too many people.

    I demonstrated an over posting attack on a site that was delivered to an ex employer by a highly paid contractor while he was there, I used the F12 developer tool bar to make it easier. His response was "Why did microsoft make that available?" He genuinely didn't realize that the users would have access to the HTML and means of editing it regardless of the dev tools being there... He was a win forms developer trying to get into web... As far as I know he is still out there delivering crap like this.

    * I use the term attack loosely

    1. Michael Wojcik Silver badge

      Yes, apparently the Valve developers are too busy to have a glance at the OWASP Top 10. Or, as you note, the ancient maxim that data from untrustworthy sources can't be trusted.

  21. G 14

    I saw this on the new releases page over the weekend.. didn't click the banner image but I remembered the title. good on him!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022