Avi Duda is a young developer working for SCS Software, the developers of the Euro Truck Simulator series. They recently found a vulnerability with Valve’s Steam service, and having reported it once to no response, reported it again via an elaborate prank. Which has got them suspended from certain parts of Steam for a whole year.
Duda altered the code on an old sale notice for Euro Truck Simulator 2 to be able to shake the screen and play the Harlem Shake. Which sounds harmless, but it’s something Valve has taken very seriously.
“Avi essentially lives on Steam”, Pavel Sebor, CEO of Czech studio SCS tells Kotaku in an email, “keeping an eye on everything happening there, every little gossip, every little new feature, parsing source code changes, they frequently suggest fixes and improvements directly to Valve. That’s why I hired them really so that they can help us push our games towards closer Steam services integration, their insight into the whole system is really deep.”
“Over the course of last year”, Sebor explains, “They have found more than one vulnerability in Steam’s systems, always dutifully reporting them. This one was already reported a few months ago too, then forgotten about, but as they explained to me a short while ago, just yesterday it popped up in discussion in a closed discussion group of a few like-minded guys, and verified to still not be fixed. So Avi supposedly wanted to play a little joke on somebody at Valve, and injected a proof of concept code into an old-forgotten announcement post, what they thought was deep enough under layers of new stuff that nobody would discover it by chance. Valve were on it within 30 minutes with a fix.”
They were also quick on the banhammer. Duda has been banned from community aspects (like forums) for 12 months as a user, but they’re also locked out of some developer stuff as well. Messing with Steam’s code, no matter how harmless the intentions, is something Valve obviously takes pretty seriously.
“Avi as an individual indeed had some of their personal developer/publisher permissions revoked by Valve staff, which is a penalty they will no doubt feel very harshly”, Sebor adds. “They have some hard work ahead of them to earn the trust back.”
“They’re a good kid, I trust that they will grow wiser with time.”
We’ve also contacted Valve for comment on this story, and will update if we hear back.