Euro Truck Simulator dev has been banned from steam for using <script> in steam announcement
82 replies, posted
[QUOTE=kwk;45120706]And this is where they fucked up. If there's a problem, the way to solve it isn't too abuse it yourself in any way, and then complain about any future consequences.[/QUOTE]
The alternative is either giving Valve even more time or leaving it undisclosed until some other developer that might -actually- abuse this (stealing accounts, items etc.) finds out about it.
Timmy took one for the team, so to speak.
EDIT: Posted this under the idea that the exploit Timmy used was resolved. It's not.
EDIT2: It is now resolved
[QUOTE=Marlamin;45120732]
Timmy took one for the team, so to speak.[/QUOTE]
This is what I'm trying to say, but he keeps complaining non-stop about it via Twitter and on Reddit. My argument is that he shouldn't be bitching because this is exactly what he should have expected when he did that: Took one for the team. He wanted to prove a point so badly? Good job, he did, but now he has to pay the price. It's life. Am I saying he deserved the ban? No, but what I'm saying that it's fucking ridiculous that people are getting on Valve's case and saying Timmy was a white-knight hero.
look guys, there's two ways to exploit a vuln. you can make everything on the page shake, which is incredibly obvious yet harmless, or you can send people's auth cookies to a remote server for a few hours every few days, which nobody would probably notice. what do you think is worse?
[editline]16th June 2014[/editline]
also
[img]http://puu.sh/9w7eD/72494fe564.png[/img]
Damn Steam sucks.
Meanwhile on facepunch:
<script src=""></script>
Oh look, htmlentities() coming into effect and preventing this from ever happening.
I love news like this, it's even better when i check Granpcs steam and most of his cards are phill fish.
[img]http://i.imgur.com/CvoWe47.png[/img]
[QUOTE=Handsome Matt;45121012]oh wow, why're you even comparing the two[/QUOTE]
I don't know, why not compare a multimillion dollar company's site that handles monetary transactions to dr frankenstein's ripped-apart-and-glued-together proboards. We're both running PHP after all.
<script> tags can probably still be placed in news article titles that come to steam as well I bet.
Does anybody have a backup of the script so we can see the shake too?
So what did the script do?
[QUOTE=Same post from Reddit quoted in op](Facepunch pls, I'm just joking, I love these guys... Don't blame Gran or anyone.)[/QUOTE]
I say we don't let it slide
[QUOTE=MatheusMCardoso;45121176]So what did the script do?[/QUOTE]
I am assuming it did something like this
[media]http://www.youtube.com/watch?v=Om1Hoz4k9Ww[/media]
There's a [URL="javascript:(function()%7Bfunction%20h()%7Bvar%20e=document.createElement(%22link%22);e.setAttribute(%22type%22,%22text/css%22);e.setAttribute(%22rel%22,%22stylesheet%22);e.setAttribute(%22href%22,l);e.setAttribute(%22class%22,c);document.body.appendChild(e)%7Dfunction%20p()%7Bvar%20e=document.getElementsByClassName(c);for(var%20t=0;t<e.length;t++)%7Bdocument.body.removeChild(e%5Bt%5D)%7D%7Dfunction%20d()%7Bvar%20e=document.createElement(%22div%22);e.setAttribute(%22class%22,f);document.body.appendChild(e);setTimeout(function()%7Bdocument.body.removeChild(e)%7D,100)%7Dfunction%20v(e)%7Breturn%7Bheight:e.offsetHeight,width:e.offsetWidth%7D%7Dfunction%20m(i)%7Bvar%20s=v(i);return%20s.height>e&&s.height<n&&s.width>t&&s.width<r%7Dfunction%20g(e)%7Bvar%20t=e;var%20n=0;while(!!t)%7Bn+=t.offsetTop;t=t.offsetParent%7Dreturn%20n%7Dfunction%20y()%7Bvar%20e=document.documentElement;if(!!window.innerWidth)%7Breturn%20window.innerHeight%7Delse%20if(e&&!isNaN(e.clientHeight))%7Breturn%20e.clientHeight%7Dreturn%200%7Dfunction%20b()%7Bif(window.pageYOffset)%7Breturn%20window.pageYOffset%7Dreturn%20Math.max(document.documentElement.scrollTop,document.body.scrollTop)%7Dfunction%20S(e)%7Bvar%20t=g(e);return%20t>=E&&t<=w+E%7Dfunction%20x()%7Bvar%20e=document.createElement(%22audio%22);e.setAttribute(%22class%22,c);e.src=i;e.loop=false;var%20t=false,n=false,r=false;e.addEventListener(%22timeupdate%22,function()%7Bvar%20i=e.currentTime,s=D,o=s.length,u;if(i>=.5&&!t)%7Bt=true;T(_)%7Dif(i>=15.5&&!n)%7Bn=true;k();d();for(u=0;u<o;u++)%7BN(s%5Bu%5D)%7D%7Dif(e.currentTime>=28.4&&!r)%7Br=true;C()%7D%7D,true);e.addEventListener(%22ended%22,function()%7Bk();p()%7D,true);e.innerHTML=%22%20<p>If%20you%20are%20reading%20this,%20it%20is%20because%20your%20browser%20does%20not%20support%20the%20audio%20element.%20We%20recommend%20that%20you%20get%20a%20new%20browser.</p>%20<p>%22;document.body.appendChild(e);e.play()%7Dfunction%20T(e)%7Be.className+=%22%20%22+s+%22%20%22+u%7Dfunction%20N(e)%7Be.className+=%22%20%22+s+%22%20%22+a%5BMath.floor(Math.random()*a.length)%5D%7Dfunction%20C()%7Bvar%20e=document.getElementsByClassName(s);for(var%20t=0;t<e.length;)%7Be%5Bt%5D.className=e%5Bt%5D.className.replace(s,o)%7Ds=o%7Dfunction%20k()%7Bvar%20e=document.getElementsByClassName(s);var%20t=new%20RegExp(%22b%22+s+%22b%22);for(var%20n=0;n<e.length;)%7Be%5Bn%5D.className=e%5Bn%5D.className.replace(t,%22%22)%7D%7Dvar%20e=30;var%20t=30;var%20n=350;var%20r=350;var%20i=%22//s3.amazonaws.com/moovweb-marketing/playground/harlem-shake.ogg%22;var%20s=%22mw-harlem_shake_me%22;var%20o=%22mw-harlem_shake_slow%22;var%20u=%22im_first%22;var%20a=%5B%22im_drunk%22,%22im_baked%22,%22im_trippin%22,%22im_blown%22%5D;var%20f=%22mw-strobe_light%22;var%20l=%22//s3.amazonaws.com/moovweb-marketing/playground/harlem-shake-style.css%22;var%20c=%22mw_added_css%22;var%20w=y();var%20E=b();var%20L=document.getElementsByTagName(%22*%22),A=L.length,O,M;var%20_=null;for(O=0;O<A;O++)%7BM=L%5BO%5D;if(m(M))%7Bif(S(M))%7B_=M;break%7D%7D%7Dif(M===null)%7Bconsole.warn(%22Could%20not%20find%20a%20node%20of%20the%20right%20size.%20Please%20try%20a%20different%20page.%22);return%7Dh();x();var%20D=%5B%5D;for(O=0;O<A;O++)%7BM=L%5BO%5D;if(m(M))%7BD.push(M)%7D%7D%7D)()"]bookmarklet[/URL] too (no idea if this works).
[editline]16th June 2014[/editline]
Nope, Facepunch mangles the URI. Get it from [URL="https://www.moovweb.com/blog/happy-valentines-day-internet-behold-the-harlem-shake-bookmarklet/"]here[/URL].
Although I wonder what effect it has on the game and studio, since ETS is still on sale on steam, so what? Just means that this one person can't do anything related to steam and so would have to get another dev to upload patches or whatever?
So if Valve isn't fixing exploits in Steam, what exactly are they doing?
[QUOTE=Srillo;45122716]So if Valve isn't fixing exploits in Steam, what exactly are they doing?[/QUOTE]
Half Life 3 and hats
[QUOTE=Srillo;45122716]So if Valve isn't fixing exploits in Steam, what exactly are they doing?[/QUOTE]
Everybody is working on their own thing while being paid to do their own thing?
[QUOTE=Srillo;45122716]So if Valve isn't fixing exploits in Steam, what exactly are they doing?[/QUOTE]
this isn't an exploit. this is a thing for devs that shouldn't be used like this. it can only be used on official groups.
[QUOTE=Sir Whoopsalot;45120580]Someone found out that the SMB level database for user-created levels had abysmal security and told the developer who proceeded to get cocky as fuck about it. That person made the info public and then this happened.
[img]http://img820.imageshack.us/img820/1641/itsfinetrustme.png[/img][/QUOTE]
Facepunch: Making history
im so confused, what in the hell are they referring to with 'harlem shake'?
[QUOTE=testinglol;45123023]this isn't an exploit. this is a thing for devs that shouldn't be used like this. it can only be used on official groups.[/QUOTE]
Honestly I agree. Valve trusts the official groups enough to give them raw html access, and if it were to be abused then that's on them
Yeah this doesn't even sound like an exploit, sounds like valve enabled this so announcements and stuff could contain videos and things.
I think valve just expects better out of devs.
[QUOTE=Furnost;45123060]im so confused, what in the hell are they referring to with 'harlem shake'?[/QUOTE]
a script amcmcwatters made that shook every element on the page and played harlem shake
[QUOTE=Map in a box;45123117]a script amcmcwatters made that shook every element on the page and played harlem shake[/QUOTE]
well in that case cant really say i feel all that sympathetic for doing unfunny garbage
[QUOTE=testinglol;45123023]this isn't an exploit. this is a thing for devs that shouldn't be used like this. it can only be used on official groups.[/QUOTE]
[QUOTE=Map in a box;45123066]Honestly I agree. Valve trusts the official groups enough to give them raw html access, and if it were to be abused then that's on them[/QUOTE]
It's still an exploit if a dev can go rogue and launch an XSS attack.
[QUOTE=Untouch;45123096]Yeah this doesn't even sound like an exploit, sounds like valve enabled this so announcements and stuff could contain videos and things.
I think valve just expects better out of devs.[/QUOTE]
Videos are fine. Scripting is not.
They enable raw html into dev announcements? That's just fucking absolute retarded.
Steam already has bbcode, just give devs a fucking img and video tag and there you go, problem solved.
They don't need raw fucking html.
With greenlight opening up, there is really no sense in allowing raw HTML in any kind of developer fields. There are plenty of better ways to get things like videos embedded into posts.
[QUOTE=testinglol;45123023]this isn't an exploit. this is a thing for devs that shouldn't be used like this. it can only be used on official groups.[/QUOTE]
Trust-based systems are bullshit.
Valve is really incompetent when it comes to this sort of thing. It's not the first time they were informed of a potentially serious security vulnerability and did absolutely nothing about it for months.
I think they're getting too comfortable with their monopoly.
[QUOTE=Zeke129;45124035]Valve is really incompetent when it comes to this sort of thing. It's not the first time they were informed of a potentially serious security vulnerability and did absolutely nothing about it for months.
I think they're getting too comfortable with their monopoly.[/QUOTE]
Their monopoly has actually subsided with the emergence of services like Amazon, GMG, Origins, and GOG. They may still be a large majority, but not a monopoly. And frankly, I find that is where the problem lies. Its one of the rare cases where the fall of a monopoly is harmful. Before, they had free will to do as they pleased, but this also meant they could take risks with impunity. That is basically what Valve was known for, taking risks. But compare that to now, and most of what they do is a lot safer and more calculated. The market is a lot tougher, and they lack the leisure the gaming community took for granted previously. And the problem is we came to, understandably, expect that as the standard. But neither they nor anyone else can really meet that standard these days. And certainly not an entity as big as Steam. At this point its basically just taking safe, appeasing measures that will keep people content, from all parties. EA makes one or two with Origins, Valve responds, then makes a couple of their own. Amazon has to do something of its own, GMG has to, GOG needs one as well.
That's why most of their "risk-taking" is moving away from things like Steam and games themselves and in to hardware, its a field there where they do not have to be constantly stopping to check every move to avoid faltering and losing out to someone else. There isn't really competition in what they're working on, and much of it is more of the communal, cooperative approach at this stage.
[QUOTE=Zeke129;45124035]Valve is really incompetent when it comes to this sort of thing. It's not the first time they were informed of a potentially serious security vulnerability and did absolutely nothing about it for months.
I think they're getting too comfortable with their monopoly.[/QUOTE]
I think of it that there are still loads of people out there who don't see Greenlight as a bad thing and embrace is, therefore would see filth if Valve decides to suddenly stop Greenlight.
Sadly greenlight is not the only feature that should be removed or revamped, mostly i feel that Valve is pretty much very closed and that they only focus on one particular thing because right now their focus is completely on The International. I mean they do have 350+ employees at the moment..
Sorry, you need to Log In to post a reply to this thread.