Valve bans Euro Truck Simulator dev for demonstrating a security vulnerability in steam

[CarnivalOfFear]

Quote from the dev:

"Edit: [i got banned for this for a year](https://twitter.com/tomasduda/status/478301124257411072). Also lost access to the Steamworks Partner site too, so can't do anything dev related. Praise Gaben.

Harlem Shake is over, one of the Valve guys is fixing it at the moment.

Short version of what happened: <script> tags were allowed in community announcements. We were talking about weird Steam's HTML parsers in the #steamdb channel, and then Harlem Shake happened. Blame xPaw, Marlamin and Gran PC, of course."

Source: http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud

[xAcid9]

Is this the reason ETS2 is on sale on Origin but not Steam?

[Askew]

Someone explain how you make Steam do the harlem shake wtf is this I'm looking at here? :lol:

[daemonowner]

Valve bans dev, says the dev. I don't know what happened at all, but one thing I do know as a good widdle skeptic is to wait for the other side on every issue.

[Scionyde]

Maybe it's because I just woke up 5 mins ago, but I'm unclear about what he did. Something about making the Harlem Shake happen in Community Announcements?

[Si3Rra_7]

Yhea , valve isn't good with bans. I got matchmake banned 7days on csgo because i " abandoned " a game because a vpk file wouldn't validate . So i quickly verified game files but it was too late...

[Almercenary]

Valve needs to get there shit together on more than one front ASAP. Loosing patience gaben, your dictatorship and power craze is getting out of hand.

[LAwLz]

This is what happened if I understand correctly:

1) Steam allows scripts in the community announcement pages. This is a huge security risk since someone that can make community announcements (nefarious developer, hijacked account, developer that has been approved for greenlight etc) could inject malicious scripts into the page.

2) A Euro Truck Simulator developer reported this to Valve several months ago and the reply get to were along the lines of "We trust that developers won't put any malicious scripts in there".

3) Someone from Euro Truck Simulator added some harlem shake script to their announcement that ETS2 was on sale.

4) Valve bans their account.

[Scionyde]

This is what happened if I understand correctly:

1) Steam allows scripts in the community announcement pages. This is a huge security risk since someone that can make community announcements (nefarious developer, hijacked account, developer that has been approved for greenlight etc) could inject malicious scripts into the page.

2) A Euro Truck Simulator developer reported this to Valve several months ago and the reply get to were along the lines of "We trust that developers won't put any malicious scripts in there".

3) Someone from Euro Truck Simulator added some harlem shake script to their announcement that ETS2 was on sale.

4) Valve bans their account.

 

I see, thanks for the explanation.

 

I could maybe understand the ban(maybe not something as harsh as a year-long ban) if the dev resorted to adding the harlem shake script right off the bat, but if Valve really intended to do nothing after several months, I'm pretty disappointed in them. C'mon, Valve! Did you move all your smart people from Steam to working on new hardware projects? D:

 

Still, this is just one side of the story, and I'd like to see what Valve's response is (hopefully they give one).

[Askew]

This is what happened if I understand correctly:

1) Steam allows scripts in the community announcement pages. This is a huge security risk since someone that can make community announcements (nefarious developer, hijacked account, developer that has been approved for greenlight etc) could inject malicious scripts into the page.

2) A Euro Truck Simulator developer reported this to Valve several months ago and the reply get to were along the lines of "We trust that developers won't put any malicious scripts in there".

3) Someone from Euro Truck Simulator added some harlem shake script to their announcement that ETS2 was on sale.

4) Valve bans their account.

 

Hmm, what useful features would be removed if they disallowed the use of these scripts? Are they normally used for anything useful on a regular basis?

[Fetzie]

Oh come on, the first rule of internet security is that you don't allow the < script>  tag to be parsed. The possible positive benefits of it are vastly outweighed by the negatives of allowing anybody to run any code, especially in an application that can initiate money transfers. Somebody could, in theory, write a script on their page that bought the product without the user having any input when they visited the game's page in Steam.

 

I mean, we had that self-retweeting tweet in Tweetdeck last week that was because of the script tag not being filtered out. A self-replicating tweet in 138 characters.

[FlakeyBanana]

To everyone waiting for Valve’s response, don’t hold your breath there probably wont be one. Valve knew about the exploit and claimed it was intentional. (which is complete bs btw).

[Paralectic]

I'm dissagabened.

[dmegatool]

Oh come on, the first rule of internet security is that you don't allow the < script>  tag to be parsed. The possible positive benefits of it are vastly outweighed by the negatives of allowing anybody to run any code, especially in an application that can initiate money transfers. Somebody could, in theory, write a script on their page that bought the product without the user having any input when they visited the game's page in Steam.

 

I mean, we had that self-retweeting tweet in Tweetdeck last week that was because of the script tag not being filtered out. A self-replicating tweet in 138 characters.

 

Are we really talking XSS vunarability ? If yes, that's terrible. Can't believe my lord would allow such a noob mistake. 

[Me1z]

I'm dissagabened.

 

I think I found my new favorite word. I'm curious about its definition.

[StingBull]

I would have banned him for life for Harlem Shake.

 

But other than that I still find it ridiculous to draw extra attention to a possible security vulnerability. Nothing is 100% secure. Trying to patch up every single flaw would leave you with a crippled experience.

 

By drawing attention to this "flaw" this developer just invited other people to use it for no reason whereas before most people did not know it existed or cared that it existed. It isn't a security flaw if there is no one using it.

 

Valve was right to say they trust developers to not fuck up because if they do, this happens to them.

[Mooshi]

....

 

Harlem Shake is old and anyone who still references it should feel bad.

[Camul]

Valve, there's a reason why Steam is becoming worse and worse. Maybe listen to people and you'll have a decent service.

[Misanthrope]

I would have banned him for life for Harlem Shake.

 

But other than that I still find it ridiculous to draw extra attention to a possible security vulnerability. Nothing is 100% secure. Trying to patch up every single flaw would leave you with a crippled experience.

 

By drawing attention to this "flaw" this developer just invited other people to use it for no reason whereas before most people did not know it existed or cared that it existed. It isn't a security flaw if there is no one using it.

 

Valve was right to say they trust developers to not fuck up because if they do, this happens to them.

 

Double standards: Find/Replace "Steam" for "Origin" and everybody would be up in arms pulling out their favorite "Fuck EA" gifs. At least some folk are just skeptical and want to hear Valve's side but this attitude you have it's just wrong imho: If you want Valve to continue to have high standards they must be confronted whenever something bad happens.

[StingBull]

Double standards: Find/Replace "Steam" for "Origin" and everybody would be up in arms pulling out their favorite "Fuck EA" gifs. At least some folk are just skeptical and want to hear Valve's side but this attitude you have it's just wrong imho: If you want Valve to continue to have high standards they must be confronted whenever something bad happens.

 

I would have said the same if it was EA. I don't agree with the guy's attitude. The company has told him they trust him and he betrayed this trust almost immediately.

 

There are lots of things wrong with Steam and Valve but this isn't one of them.

[dmegatool]

I would have banned him for life for Harlem Shake.

 

But other than that I still find it ridiculous to draw extra attention to a possible security vulnerability. Nothing is 100% secure. Trying to patch up every single flaw would leave you with a crippled experience.

 

By drawing attention to this "flaw" this developer just invited other people to use it for no reason whereas before most people did not know it existed or cared that it existed. It isn't a security flaw if there is no one using it.

 

Valve was right to say they trust developers to not fuck up because if they do, this happens to them.

So much wrong, such wow... 

Trying to patch up every single flaw would leave you with a crippled experience.

No, not allowing <script> to be run is so basic it's security 101. Here's 2 videos on XSS and cross-site scripting to educate yourself. Really easy to understand and you can see the implications. 

 

By drawing attention to this "flaw" this developer just invited other people to use it for no reason whereas before most people did not know it existed or cared that it existed.

Maybe he's saying bullshit about warning Valve. But if he did and Valve didn't answer with a "Oh thanks, we're working on it", they're wrong. I don't say he did the right thing by exposing it. But Valve surely not did the right thing ignoring it.  

 

It isn't a security flaw if there is no one using it.

Really !?! Wow... not much to say here.  

 

Valve was right to say they trust developers to not fuck up because if they do, this happens to them.

You can't let vunarabilities open to developers just on good faith. It ain't right. @Misanthrope is spot on, replace Steam by Origin and it's the shit storm right here.

 

We can't know how big this issue can be. It surely can abuse Steam pretty easily, clicking on every link on that page. Maybe even a little bit further and buying without user's consent. Who knows...

[StingBull]

We can't know how big this issue can be. It surely can abuse Steam pretty easily, clicking on every link on that page. Maybe even a little bit further and buying without user's consent. Who knows...

 

I don't think so, If it was that easy why hasn't it happened up until now?

 

No developer in the world is stupid enough exploit this. It doesn't matter if the flaw is there no one will use it because no developer would dare being kicked out of Steam.

[Tigerbomb8]

 

You can't let vulnerabilities open to developers just on good faith. It ain't right. @Misanthrope is spot on, replace Steam by Origin and it's the shit storm right here.

 

There has to be a lot of trust between devs and steam. They don't test the binaries that devs upload.. Who knows, one day a dev might got "fuck it, I want some bitcoin" and just sneak a miner into the game.. 

[FlakeyBanana]

I don't think so, If it was that easy why hasn't it happened up until now?

 

No developer in the world is stupid enough exploit this. It doesn't matter if the flaw is there no one will use it because no developer would dare being kicked out of Steam.

 

Probably because it has happened, there are things known as private exploits

[StingBull]

Probably because it has happened, there are things known as private exploits

 

In this day and age I don't think something like that can stay a secret.