Tomá? Duda placed a “Harlem Shake” prank on a Steam page to expose a vulnerability and was then banned by Valve.
Update: Duda has been unbanned!
After seeing the reactions across the multiple forums (including our own), this has been a divisive issue. While some people strongly feel Duda’s ban was another example of corporate inhumanity, others highlight that his action was irresponsible and did exploit a vulnerability. Still, a number of people on both sides felt that Valve could have handled the issue better by addressing the exploit when it first came up or by recognizing Duda’s intent. It seems that after some time, the people at Valve decided to lift the ban. It’s unclear whether this is because the initial ban was a sudden reaction by some moderator or security personnel or if Valve considered the PR implications.
Original Story: Tomá? Duda, an employee of Euro Truck Simulator 2 developer SCS Software, has been banned from Steam after exposing a security issue with the service. According to his comments on Reddit, Duda had reported to Valve that certain code was permitted in the announcement pages for games that could allow for exploits.
While Duda was talking with other Steam users, this issue came up and he implemented a “Harlem Shake” style prank in an old announcement page for his company’s game, Euro Truck Simulator 2. The code caused the screen to shake and play the “Harlem Shake” song from a meme that has (thankfully) faded from common use. The fact that the code was placed into one of Duda’s announcements from early April would suggest that this was meant as a way to prove the vulnerability existed and could be exploited and maybe draw attention from someone at Valve.
It did. Valve quickly fixed the page and returned it to its original state and then banned Duda for a year. Duda, who owns over 1,200 Steam games, also lost access to everything developer related as well. He still has access to his games, but he is unable to participate in the Steam community. Duda took on the role of answering questions and posting announcements for SCS Software’s games and is now unable to contribute in this way, nor is he able to be a part of the overall Steam community.
How dangerous is this security exploit? While the exact technicalities of the vulnerability are beyond me, a portion of the Reddit thread discussing Duda’s ban goes into the possibilities. Reddit users explain that it doesn’t give a person direct access to your computer, but can trick Steam users and use data entered on the webpage. Key loggers, rerouted payments, or accessing other browser tabs are some of the theoretical problems that exist. For example, user purple_pixe states:
They can’t do “harm” in the sense of a computer virus on your local machine doing harm to that machine, but they can still do all sorts of nasty things to your connection with the server.
Like making you think that the “Steam Store” you’re sending your payment to is in fact the Steam Store and not a hijacked version of the same where all the money goes to whoever put the exploit up. (That specific danger may or may not exist with this particular exploit, but that’s the general idea of why it’s bad even in a sandbox)
On the one hand, it’s important that Valve address security concerns when they are brought up, and apparently Valve decided this vulnerability needed to be fixed once it was exploited. However, Duda did violate the Steam Subscriber agreement to implement his exploit, not to mention he is a representative of his company on that announcement page. Being forced to face repercussions for his actions is understandable, but Valve could be less severe with their penalty given the intent of Duda’s prank.
Note: While researching this story, I found that Escapist user erbkaiser posted about this in our forums yesterday!