Valve Rewarded $20k to Someone Who Found a Particular Bug

An interesting piece of info this week as there was apparently a bug in Steam's system that could grant you access to every game managed by Valve. And when we say every game, we mean EVERY game. The exploit allowed people access to essentially get free game codes out of the marketplace whenever they wanted if they knew where to look and how to get it. Like finding loose change in the sofa, only the change was $60 a pop for every free game they could snag. Unfortunately for you would be hackers, a researcher named Artem Moskowsky did the right thing and reported it to Valve, which they rewarded by paying the man $20,000. A quick snippet from The Register about the exploit.

"This bug was discovered randomly during the exploration of the functionality of a web application," Moskowsky explained. "It could have been used by any attacker who had access to the portal."

Essentially, anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted, and sell or distribute them for pirates to use to play games from Steam. Fetching from the /partnercdkeys/assignkeys/ API with a zero key count returned a huge bunch of activation keys.

"To exploit the vulnerability, it was necessary to make only one request," Moskowsky told El Reg. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."

There's no official report as to how many Steam keys were lost due to the exploit, but knowing Valve, they probably have a way to trace all interactions now that they know the source.

About Gavin Sheehan

Gavin has been a lifelong geek who can chat with you about comics, television, video games, and even pro wrestling. He can also teach you how to play Star Trek chess, be your Mercy on Overwatch, recommend random cool music, and goes rogue in D&D. He also enjoys hundreds of other geeky things that can't be covered in a single paragraph. Follow @TheGavinSheehan on Facebook, Twitter, Instagram, and Vero, for random pictures and musings.

twitter   facebook square   instagram   envelope