:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/49189185/Screen_Shot_2016-03-29_at_12.08.32_PM.0.0.png)
Thanks to an exploit, a programmer quietly uploaded a prank project to Steam over the weekend — one which Valve has since delisted. According to its description, Watch Paint Dry, launching April 1, was "a sports-puzzle game that evolves around one mysterious cutscene." But that cutscene wasn't so mysterious after all, based on its screenshots and name.
Watch Paint Dry was a game explicitly about watching paint dry and, its "developer" said in a post-mortem of the quirky project, it wasn't much of a game at all.
"[Watch Paint Dry] is no more than a prank and was merely to test something I've been trying to report to Valve for the past few months — the ability to get any game you want on Steam, without Valve ever even having a look at it," the creator, Ruby, wrote in a post on Medium.
An early April Fools' joke
Ruby — who is based in England — explained how after gaining access to the Steamworks Developer Program, Valve's publishing platform and backend for the service, he sought to find vulnerabilities within it. This led him to concocting the prank, timed for April Fools' Day.
He created trading cards to help legitimize the "game" — "What sort of game would 'Watch paint dry' be without some amazing trading cards?" he wrote. He quickly crafted some of the collectible cards, which users pick up through basic gameplay on Steam.
"However, Valve need to review the cards, emoticons and backgrounds before I can release them," he said.
This is where Ruby discovered the first hole in Steamworks. After editing some of the values in the request forms, he was able to make it seem like a Valve employee had approved his game's trading card component, despite the fact that no one at Valve had actually seen the request.
After that, Ruby was able to make further edits, with help from his computer programming background. He altered the HTML for the game's "release ID" so that it would appear on the Steam store page, again without Valve's knowledge; he was able to change the game from requiring a final review to bearing the official "reviewed" status with just minor changes to the code.
That's how Watch Paint Dry appeared on the Steam store, ahead of its "official launch" — and without Valve having actually participated in any part of the release process.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/6258741/ss_c260d81f5010b96c504aa207f1b038f55c55c274.600x338.0.jpg)
While this might seem like a hack pulled off to shame Valve for the holes in its release infrastructure, Ruby maintains that this was a mutually beneficial experiment.
"Something I've definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have 'Review Ready' and 'Reviewed' as two states of existence for the content," he wrote. He suggested that Valve change its approach by adding an "audit trail," creating "review tickets" for each update made during a game's path to release.
"Or just don't allow users to set the item to 'Released,'" he added.
Valve has caught on to the prank, removing Watch Paint Dry from Steam before its official "release date." We've reached out to the company to confirm that it's aware of, or fixed up, the exploit, as explained by Ruby.
Correction: Ruby is a web developer, not a game designer. The text above has been corrected to reflect this.
