An exploit that allowed someone to add unlimited funds to their Steam account has been patched. For discovering the bug, which could have cost the company a fortune, Valve has paid $7,500 to the security researcher who identified it.
As reported by The Daily Swig, a security researcher with the username “drbrix” reported the exploit to Hackerone, a bug bounty platform that connects people who find these bugs with the companies that created the software. It allows the latter to reward the former for identifying problems before they can be exploited by criminals.
drbrix alerted Valve of the exploit on August 9. It worked by changing a Steam account email address to include “amount100,” and intercepting the POST request for transactions that use the Smart2Pay payment method to edit the amount from, say, $1 to $100.
“I think impact is pretty obvious, attacker can generate money and break the Steam market, sell game keys for cheap etc,” drbrix wrote in their Hackerone report.
A Valve employee called JonP thanked drbrix and said Valve had “validate this is happening pretty much as described.”
“Thank you for this report,” JonP said. “This was clearly written and helpful in identifying a real business risk. We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly. We hope to hear more from you in the future.”
Valve never said if anybody used the exploit before it was patched.
drbrix received $7,500 for his troubles. For comparison, Microsoft’s average payout across all its bug bounty programs over the past 12 months was just over $10,000, while the largest single award was $200,000.
In other Valve news, the company recently updated its official YouTube channel for the first time in eight months with an ad for the Steam Deck.