Valve’s Steam is one the most popular and successful digital distribution platforms on the PC, so it would make sense that the company would want to keep it bug free. Security researcher Artem Moskowsky, who found a bug which would allow users to get their hands on functioning Steam game keys, was paid $20,000 for his find.
“An authenticated user could download previously-generated CD keys for a game which they would not normally have access,” Valve explains in the HackerOne report.
The issue was first discovered by Moskowsky back in August, and Valve managed to resolve it only recently. On August 11th, Moskowsky was paid a bug bounty of $15,000 with a $5000 bonus. Valve claims that this method of generating keys is tied to audit logs, and that there is no evidence of someone abusing this bug.
“Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.”
Speaking with The Register about his find, Moskowsky says, “This bug was discovered randomly during the exploration of the functionality of a web application. It could have been used by any attacker who had access to the portal.”
As you would probably guess from the large payout, this was a very serious issue and it took Valve at least a couple of weeks to patch. In one case, Moskowsky had managed to acquire 36,000 Steam keys for Portal 2, a title that retails for $9.99 on the Steam store.
“To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys,” the researcher continues.