Ruby Nealon, a 16-year-old university student from England, says that probing various corporate servers for vulnerabilities has been a hobby of his since the age of 11. His efforts came to the attention of Valve (and the wider world) after an HTML-based hack let him post a game called "Watch paint dry" on Steam without Valve's approval over the weekend.
Once that exploit was fixed and publicized, Nealon quickly discovered a second Steam exploit, which Valve has since fixed. This one took advantage of a cross-site scripting hole to hijack a Steam admin's authentication cookie through Valve's own administrative Steam Depot page. Before it was reported and patched, this exploit could have given attackers unprecedented control of Steam's backend, basically letting them pretend to be a Valve administrator.
http://arstechnica.com/gaming/2016/04/steam-hacker-says-more-vulnerabilities-will-be-found-but-not-by-him/
