Valve Bans Developer From Steam for Prank Exposing Vulnerability - Update

 Pages 1 2 NEXT
 

Valve Bans Developer From Steam for Prank Exposing Vulnerability - Update

Tom Duda placed a "Harlem Shake" prank on a Steam page to expose a vulnerability and was then banned by Valve.

Update: Duda has been unbanned!

After seeing the reactions across the multiple forums (including our own), this has been a divisive issue. While some people strongly feel Duda's ban was another example of corporate inhumanity, others highlight that his action was irresponsible and did exploit a vulnerability. Still, a number of people on both sides felt that Valve could have handled the issue better by addressing the exploit when it first came up or by recognizing Duda's intent. It seems that after some time, the people at Valve decided to lift the ban. It's unclear whether this is because the initial ban was a sudden reaction by some moderator or security personnel or if Valve considered the PR implications.

Original Story: Tom Duda, an employee of Euro Truck Simulator 2 developer SCS Software, has been banned from Steam after exposing a security issue with the service. According to his comments on Reddit, Duda had reported to Valve that certain code was permitted in the announcement pages for games that could allow for exploits.

While Duda was talking with other Steam users, this issue came up and he implemented a "Harlem Shake" style prank in an old announcement page for his company's game, Euro Truck Simulator 2. The code caused the screen to shake and play the "Harlem Shake" song from a meme that has (thankfully) faded from common use. The fact that the code was placed into one of Duda's announcements from early April would suggest that this was meant as a way to prove the vulnerability existed and could be exploited and maybe draw attention from someone at Valve.

It did. Valve quickly fixed the page and returned it to its original state and then banned Duda for a year. Duda, who owns over 1,200 Steam games, also lost access to everything developer related as well. He still has access to his games, but he is unable to participate in the Steam community. Duda took on the role of answering questions and posting announcements for SCS Software's games and is now unable to contribute in this way, nor is he able to be a part of the overall Steam community.

How dangerous is this security exploit? While the exact technicalities of the vulnerability are beyond me, a portion of the Reddit thread discussing Duda's ban goes into the possibilities. Reddit users explain that it doesn't give a person direct access to your computer, but can trick Steam users and use data entered on the webpage. Key loggers, rerouted payments, or accessing other browser tabs are some of the theoretical problems that exist. For example, user purple_pixe states:

They can't do "harm" in the sense of a computer virus on your local machine doing harm to that machine, but they can still do all sorts of nasty things to your connection with the server.

Like making you think that the "Steam Store" you're sending your payment to is in fact the Steam Store and not a hijacked version of the same where all the money goes to whoever put the exploit up. (That specific danger may or may not exist with this particular exploit, but that's the general idea of why it's bad even in a sandbox)

On the one hand, it's important that Valve address security concerns when they are brought up, and apparently Valve decided this vulnerability needed to be fixed once it was exploited. However, Duda did violate the Steam Subscriber agreement to implement his exploit, not to mention he is a representative of his company on that announcement page. Being forced to face repercussions for his actions is understandable, but Valve could be less severe with their penalty given the intent of Duda's prank.

Source: Reddit

Note: While researching this story, I found that Escapist user erbkaiser posted about this in our forums yesterday!

Permalink

Why not do this the MS way? Employ him. Reward him. Don't bloody ban him. This will just stop people from coming forward in the future if they find a vulnerability. The way he went about it was wrong, but maybe it was to prove the concept. No point reporting something that doesn't exist.

Agreed that this vulnerability is sloppy and needed to be fixed, but to do this and them complain about getting banned is somewhat... I'm not sure what it is but I think the dev has very little ground to stand on. If the agreement says "don't fuck around with the source code" then you don't do that shit, and if nobody is solving the issue you reported... I dunno, speak to someone personally? Surely the dev of a game on the store that sells as well as this one does has a steam dev on their friends list, or has someone who does.

Seems kinda stupid from Valve. An idiotic move even. Then again they have gotten awful draconian on certain things.

For an example, their Valve Anti Cheat. A decent programme all in all... except it bans forever, can have false possitives and there is no easy way to appeal it.

Such shit ought to change.

Thanks for the shout out Sigfodr :)

erbkaiser:
Thanks for the shout out Sigfodr :)

Not a problem. You were on it way before I found out about this, I thought it certainly deserved pointing out.

I'm interested in seeing how Valve/Steam follows up on this. I could be wrong but they don't seem to have a standardized bug reporting/reward system like say Facebook does, so it's entirely possible that his reporting got lost somewhere in customer support while his demonstration brought down the wrath of an entirely different & more authoritative ban hammer. Once things are all sorted out it could be appealed.

Another thing to keep in mind, Gabe likely isn't very fond of hackers after Valve got badly burned by the Half Life 2 source leak 10 years ago. When the German hacker eventually contacted him, Gabe played it cool sounding impressed and started talking about giving him a job, got the kid all excited and ready to come over for an interview, was going to even bring his family. But really Gabe wanted to take a crow bar to the punk, and was working with the FBI to bust his ass the moment he stepped on American soil. German authorities didn't really like that idea and arrested him first on their own turf.

RandV80:
I'm interested in seeing how Valve/Steam follows up on this. I could be wrong but they don't seem to have a standardized bug reporting/reward system like say Facebook does, so it's entirely possible that his reporting got lost somewhere in customer support while his demonstration brought down the wrath of an entirely different & more authoritative ban hammer. Once things are all sorted out it could be appealed.

Another thing to keep in mind, Gabe likely isn't very fond of hackers after Valve got badly burned by the Half Life 2 source leak 10 years ago. When the German hacker eventually contacted him, Gabe played it cool sounding impressed and started talking about giving him a job, got the kid all excited and ready to come over for an interview, was going to even bring his family. But really Gabe wanted to take a crow bar to the punk, and was working with the FBI to bust his ass the moment he stepped on American soil. German authorities didn't really like that idea and arrested him first on their own turf.

While going through threads on different websites about this, I was surprised by the number of examples like this people could cite. Of course, Valve is a company like any other and even though the Steam service is great, they will have problems on the corporate and interpersonal side.

I don't think Valve is overreacting too much.
He should've thought before acting like this on an account used for his job...

Kenjitsuka:
I don't think Valve is overreacting too much.
He should've thought before acting like this on an account used for his job...

The vulnerability existed (and according to some, still exists for onclick events) only in Steam announcements and the like, for which you need to have Steam Developer access.
He pretty much had to use his job account to prove a point.

That's also where the danger is, since Steam now has so many "indie" developers coming from Greenlight or self publishing, that the risk became greater and greater someone with malicious intent could exploit this.

Do you trust every game developer on Steam, including the ones making the shovelware? I don't.

I wish steam would ban more people. Fucking Air Control is still up on their store and they won't take any single action that protects consumers. Yet when some perceived harm is done to them they punish people harshly and quickly, even though he was arguably attempting to bring the situation to their attention. He stated he had contacted steam multiple times about the exploit but nothing had been done.

This shows steam IS willing to take action against developers but NOT in any cases that are actually beneficial to the consumer. On the face of it it seems like they don't take consumer security as seriously as they should. He shouldn't have done it but conversely he shouldn't have HAD to do it Valve shouldn't acted on information before someone has to actually use the exploit in a benign way to get their attention.

....... Wait they ONLY banned him for a year? I am ALMOST surprised at the comments in the thread, but not really.

Take this into context of another situation. A bank has a security flaw in their ATM, and at a company that has the contract to load software ads into the ATM(common in areas of America) an employee notices this fault. So as a joke to point out the issue after you put your card in the system, put in your pin, and request cash he makes it play the harlem shake for 60 seconds and flash the screen. The bank would press charges, and people would be IRATE.

MANY people have their credit card data in Steam, MANY people have hundreds of dollars in games on Steam. ANY hack or attack on that system is playing with a system that other people have invested money and or time into. As a DEVELOPER he should have known better as a gamer he should be appalled at himself.

This is a tough one to place judgement on. Perfect example of "does the ends justify the means?" I mean from one point, he did contact Steam and they did nothing. But hacking them isn't really a good option, a noticeable action and something they would have to respond to, but nonetheless a bad option. Maybe he should have tried harder, maybe Steam should have listened. I just think of what might happen if someone hacked that and played porn or something, Steam could be facing a massive lawsuit. I honestly cannot place judgement.

Scrumpmonkey:
I wish steam would ban more people. Fucking Air Control is still up on their store and they won't take any single action that protects consumers. Yet when some perceived harm is done to them they punish people harshly and quickly, even though he was arguably attempting to bring the situation to their attention. He stated he had contacted steam multiple times about the exploit but nothing had been done.

This shows steam IS willing to take action against developers but NOT in any cases that are actually beneficial to the consumer. On the face of it it seems like they don't take consumer security as seriously as they should. He shouldn't have done it but conversely he shouldn't have HAD to do it Valve shouldn't acted on information before someone has to actually use the exploit in a benign way to get their attention.

I said it once in Jim's video, I will say it again.

I am against false advertisment. I am against lying to the consumer, be it for game graphics (Watch Dogs and Aliens) or System Requirements (Wolfenstein, Watch Dogs). I am against developers having complete control over their communities and forums.

Still, taking down those devs and their games is wrong IMO. Who are we to decide quality? Bioshock Infinite is IMO not a good game. Under my somewhat draconian view of punishing developers and publisher for stupidity/incompetence, then Call of Duty Ghosts wont be sold.
I know people that LOVE these broken games because they know how/ try to fix them or play with them. That is their fun. I can not end it.

He was banned for a Terms of Service violation. Nothing more, nothing less.

So, will the internet finally pull its lips off Valve's dick for five minutes?

No, of course it won't.

Thanks Duda for your sacrifice. The Valve machine would not have done anything if not for your actions. You are a steam hero!

#lowerhis1yearban!

Remove the ban and take it on the chin like a man, Gabe.

Wow, the comments.

The Valve hate is just hilarious.

Weither it was a security flaw or not, the fact is, this guy hacked steam, and exploited a security flaw.

This a) violates pretty much every TOS ever, and b) is fantastically illegal.

If Valve wanted to be the bad guy, they would press charges and he would absolutely go to jail. Banning him for a year(note, non-permanently) is astoundingly light. His jail sentence would definitely have lasted longer than a year.

If you follow tech circles at all, any time someone attempts to 'do good' by intentionally exploiting a security flaw to force recognition of it, the people that got hacked, unsuprisingly, are unamused. And usually press charges. And then the hacker goes to jail.

But nah, lets get pissed at Valve.

gigastar:
He was banned for a Terms of Service violation. Nothing more, nothing less.

*Facepalm*

Way to completely miss the finer details of the situation.

WhiteTigerShiro:

gigastar:
He was banned for a Terms of Service violation. Nothing more, nothing less.

*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

I really cringe at the use of "hacker" for someone who just showed what was possible.
He did not hack -- he posted a script tag in the HTML of the update. That Valve stupidly had no protection against external scripts at all, and ignored all warnings that allowing this is a horrible idea for months, that is the issue.

I'm not arguing that Valve should not have taken action, but a warning to Timmy that a public reveal was not the best option instead of a year ban would be better. Even better would be a "thank you, we were stupid".

gigastar:

WhiteTigerShiro:

gigastar:
He was banned for a Terms of Service violation. Nothing more, nothing less.

*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

1) He tried doing things the official way, and basically got ignored. The problem went unfixed.

2) He exploited the weakness in a completely harmless manner.

3) Had he NOT done the above, then the weakness would have just sat there until someone with malicious intent exploited it.

In this day and age, you cannot just sit on a weak spot in your coding and expect the best. Valve could have gotten MUCH worse by ignoring this vulnerability. At best, they have a sluggish system for reporting bugs and never saw his report; at which point they need to find a way to streamline things. At worst, they flat-out ignored his report upon seeing it, and basically deserved to get hacked. So either way you look at it, it's Valve's fault that he was able to take advantage of this vulnerability, yet he is found at fault for drawing their attention to it so that they could fix it (which took them all of 30 minutes).

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

Eiv:
Why not do this the MS way? Employ him. Reward him. Don't bloody ban him. This will just stop people from coming forward in the future if they find a vulnerability. The way he went about it was wrong, but maybe it was to prove the concept. No point reporting something that doesn't exist.

Yes, let's employ someone who messed with the system instead of just telling them about it, quietly. Hey, it worked like a charm in the fourth Die Hard movie. I think-

*POW!*

Whoa. Sorry, overloaded the sarcasm meter again.

Hmm, Timmy deleted the tweet about it. Maybe Valve is wising up...

Or he got in trouble with his boss.

WhiteTigerShiro:

gigastar:

WhiteTigerShiro:
*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

Except, it still boils down to this:

Valve did something foolish. So he responded with doing something illegal.

Nothing about his ban alleviates Valve of responsibility. However, Valve's culpability with the problem doesn't magically erase the fact he violated their TOS and did something illegal.

If they wanted to be "bad guys" they could easily press charges and get him jail time which would last far longer than a year.

Going to a bank and saying 'your website has a vulnerability' and then hacking their homepage when ignored, even if it was just a silly cat picture, would get you incredible amounts of jail time.

This is no different.

Areloch:
Nothing about his ban alleviates Valve of responsibility. However, Valve's culpability with the problem doesn't magically erase the fact he violated their TOS and did something illegal.

If they wanted to be "bad guys" they could easily press charges and get him jail time which would last far longer than a year.

Erm, no. You can't get someone to go for jail for violating the TOS.

He did not hack any part of Steam -- he did not access anything he did not have access to, he did not change a single line of code. All he did was post [script src="stupid.harlem.shake.script.js"] in an old announcement, to show to his fellow devs that the problem Valve was ignoring, potentially could allow for disastrous effects.

erbkaiser:

Areloch:
Nothing about his ban alleviates Valve of responsibility. However, Valve's culpability with the problem doesn't magically erase the fact he violated their TOS and did something illegal.

If they wanted to be "bad guys" they could easily press charges and get him jail time which would last far longer than a year.

Erm, no. You can't get someone to go for jail for violating the TOS.

He did not hack any part of Steam -- he did not access anything he did not have access to, he did not change a single line of code. All he did was post [script src="stupid.harlem.shake.script.js"] in an old announcement, to show to his fellow devs that the problem Valve was ignoring, potentially could allow for disastrous effects.

Reddit is currently not loading for me for some reason, so I can't read the in-depth on the situation, but it sounds like he went into steam announcements about his game, which he shouldn't have direct access to, and attached a code to modify them.

Is that correct?

If it is, that's basically illegal. In a legal sense, any unwanted access to a virtual system is considered a violation and is punishable by law.

If he DID have legitimate access to it, I'm not sure why Valve would care at all. So maybe I'm just missing some detail somewhere, but if he accessed something he should not have, that's illegal. My point with the TOS is that they have every right to ban him. The (potential?)illegality of the action is what would net him jail time if Valve so chose to press charges.

WhiteTigerShiro:
1) He tried doing things the official way, and basically got ignored. The problem went unfixed.

2) He exploited the weakness in a completely harmless manner.

3) Had he NOT done the above, then the weakness would have just sat there until someone with malicious intent exploited it.

In this day and age, you cannot just sit on a weak spot in your coding and expect the best. Valve could have gotten MUCH worse by ignoring this vulnerability. At best, they have a sluggish system for reporting bugs and never saw his report; at which point they need to find a way to streamline things. At worst, they flat-out ignored his report upon seeing it, and basically deserved to get hacked. So either way you look at it, it's Valve's fault that he was able to take advantage of this vulnerability, yet he is found at fault for drawing their attention to it so that they could fix it (which took them all of 30 minutes).

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

There are rules in place, and you receive a punishment if you break them.

Let's be serious here.

Any kind of professional workplace and company is like this. If you knowingly break the rules, there are procedures that will be followed, and in this case; he was handed a suspension.

I'm putting myself in his shoes, and it must have sucked. He was just trying to help, and draw attention to a potentially serious issue. And his pleas weren't be heard. That, SUCKS.

But I don't condone what this guy did. I'm sure he was in a frustrating position, but does that justify taking this kind of action? Like I said, I'm putting myself in his shoes, and I can't see this kind of action being worth it. Risking your professional relationship with Steam, your position to support your game, and possibly risk a part of your livelyhood? There must have been a better way to go about getting their attention and getting it fixed than this.

I've seen people handed suspensions in the workplace for less. Being sent away for something that happened out of sheer circumstantial bad luck. This guy took it upon himself to break the rules. You just can't do that kind of thing, especially as a professional.

However.

The original neglect and incompetence was Valve's fault. The guy broke the rules, so procedures are followed and he's suspended, okay. But an investigation should be launched to find out how this vulnerability came about in the first place, why it was never detected, why it was never fixed, and why his pleas for help went unheard. There sounds like some serious communication problems going on here, and Valve should accept responsibility for causing the problem in the first place.

While the guy shouldn't have done this, Valve should have addressed the problem way sooner. I see obvious faults on both sides here. Valve needs to correct the chain of events that led to this being a problem in the first place, and I don't think he should serve his entire suspension.

Areloch:
Is that correct?

No, that's not correct. As a Steam developer, he is allowed to post and modify announcements for his game. In this case, Euro Truck Simulator 2.

He used that access, which he is fully entitled to, to post an external script in an existing (old) announcement.

The problem is that by doing this, he exposed publicly that Steam was vulnerable to XSS. And that is after he alerted them of the issue months ago, which Valve ignored under the conceit that they "trust their developers".
Rather than admit they were wrong to ignore it and fix it, Valve decided to ban him for it.

Bit tight really. People often get a job or at least a thank you for exposing security flaws. I know he's technically broken the terms of service but I'd think a bit of discretion is in order.

I don't see a response from Valve though. This could be the kind of thing that get automatically banned but overturned once they look at the details. I'd imagine with the amount of users Steam has, they can't immediately be aware of the circumstances behind every ban.

erbkaiser:

Areloch:
Is that correct?

No, that's not correct. As a Steam developer, he is allowed to post and modify announcements for his game. In this case, Euro Truck Simulator 2.

He used that access, which he is fully entitled to, to post an external script in an existing (old) announcement.

The problem is that by doing this, he exposed publicly that Steam was vulnerable to XSS. And that is after he alerted them of the issue months ago, which Valve ignored under the conceit that they "trust their developers".
Rather than admit they were wrong to ignore it and fix it, Valve decided to ban him for it.

Ah, I see.

It read like he shouldn't have been able to modify old announcements, or otherwise didn't have access.

Knowing that, I still come down on the side of 'you can't be surprised when you get in trouble for exploiting vulnerabilities', but at the same time it probably wasn't necessary on Valve's part to do the ban. It does make me wonder who issues bans in cases like this. Since it falls outside your usual VAT or community bans. Hm.

Alas, I work in tech support, and I know that sometimes it takes a RETARDED amount of time for the upper echelons to get off their butts and implement a fix. Usually after it blows up in their face. Unfortunately, that's less a 'Valve is bad' thing specifically, and more just 'people in tech are horrifically lazy idiots' :/

WhiteTigerShiro:

gigastar:

WhiteTigerShiro:
*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

1) He tried doing things the official way, and basically got ignored. The problem went unfixed.

And thats where he should have stopped.

WhiteTigerShiro:
2) He exploited the weakness in a completely harmless manner.

3) Had he NOT done the above, then the weakness would have just sat there until someone with malicious intent exploited it.

In this day and age, you cannot just sit on a weak spot in your coding and expect the best. Valve could have gotten MUCH worse by ignoring this vulnerability. At best, they have a sluggish system for reporting bugs and never saw his report; at which point they need to find a way to streamline things. At worst, they flat-out ignored his report upon seeing it, and basically deserved to get hacked. So either way you look at it, it's Valve's fault that he was able to take advantage of this vulnerability, yet he is found at fault for drawing their attention to it so that they could fix it (which took them all of 30 minutes).

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

And heres what you dont seem to get;

Good intentions do NOT justify illegal activity.

He should have just left it alone and if someone else found the exploit before it was fixed and used it for malicious purpose then we would have legitimate reason to blame Valve.

But no, he went and engaged in illeagal activity.

Dev guy is in the wrong here, Valve is just following thier own proceedure. and dev guy is lucky that he wasnt simply permabanned and facing a lawsuit for what he did.

gigastar:

Good intentions do NOT justify illegal activity.

Except when they do.

WhiteTigerShiro:

gigastar:
Good intentions do NOT justify illegal activity.

Except when they do.

The road to hell is paved with good intentions. If Valve did not rush to fix the exploit after his demonstration then all sorts of nonsense could have happened.

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here