Security researcher Artem Moskowsky recently discovered a flaw in Steam that allows unscrupulous users with access to the developer portal to produce unlimited game keys. But instead of rewarding himself with a copy of every game on the platform, or producing thousands of keys to the Kings 2 Crusade to be unloaded through retailers, he brought the matter to Valve's attention and was rewarded with $ 20,000 for the problem.
"This bug was found randomly during the exploration of the functions of the web application," said Moskowsky The Register. "It can be used by attackers who have access to the portal."
"To exploit a vulnerability, you only need one request. I have successfully passed verification of game ownership by changing only one parameter. After that, I can enter any ID into other parameters and get a series of keys."
To show the severity of the problem, Moskowsky said he entered a random string into the request at one point and ended with 36,000 activation keys for Portal 2. At the full retail price, that was a $ 360,000 game key; lower them with a 95 percent discount and you still make a serious book for minimal effort, which is probably why Valve rewarded him so handsome to find.
More detailed details on this issue are available from HackerOne, a site dedicated to security research and disclosure, and a "bug bounty" program.
"Using / partnercdkeys / assignkeys / endpoint on partner.steamgames.com with certain parameters, authenticated users can download CD keys that were generated previously for games they would not normally access," he said. "The audit log is not skipped using this method, and an investigation of the audit log does not indicate previous or ongoing exploitation of this bug."
I will not pretend to know what that means but the site describes the severity of vulnerability as "critical," complete with a hint of red indicating that this is a very serious matter. Moskowsky reported the problem on August 7, and received his prize – a prize of $ 15,000, plus a $ 5,000 bonus – on August 10. The report was only announced on October 31, which is why you just heard it now.
Valve has actually paid ethical hackers who discovered security vulnerabilities on Steam for some time now. We first heard about the bounty bug program, and the HackerOne site, in May this year, but it was later revealed that the program had been operating for at least seven months before that. Payment reports on HackerOne return at least one year, but details about most of them have not been disclosed. Moskowsky did quite well, though: Along with smaller payments ($ 500- $ 750), another critical vulnerability he reported in July earned him $ 25,000.