1. Gaming

Hacker finds Steam bug that unlocks free games, collects $20K for reporting it

By

Security researcher Artem Moskowsky found a Steam bug that gave him access to infinite free keys for any game on the digital distribution platform, but instead of abusing the exploit, he reported it to Valve for a $20,000 reward.

Moskowsky told The Register that he accidentally discovered the vulnerability while browsing through the Steam partner portal, which is the website where developers manage games that may be downloaded on the platform. The security researcher, who has made a career as a bug hunter, noticed that it was easy to change the parameters of an API request, which gave him activation keys for certain games.

The API allows developers to acquire license keys for their games, which they can then pass on to gamers. However, as Moskowsky pointed out, it could have been abused by an attacker who has access to the Steam partner portal to generate an infinite number of activation keys for any game on Steam. It is also pretty easy to pose as a developer to gain access to the partner portal, so practically anybody could have taken advantage of the vulnerability.

Moskowsky said that he entered a random string into the API request to check the severity of the bug. He then received 36,000 activation keys for Portal 2, which is being sold at $10 on Steam, for a total value of about $360,000 in just one command.

The Steam bug has now been recorded on the bug bounty website HackerOne, where it can be seen that Moskowsky reported the exploit to Valve on August 7. Valve took only a few days to patch up the vulnerability, and to award Moskowsky with a $15,000 bounty and a $5,000 bonus.

Valve is lucky that the exploit was discovered by an honest hacker like Moskowsky. The $20,000 reward to Moskowsky is minuscule compared to the possible losses that Steam would have suffered if the bug was widely used by pirates to grab free activation keys for every game on the platform.

Impressively, this is not the biggest bounty that Moskowsky has received from Valve. In July, the security researcher was awarded $25,000 for reporting an SQL injection bug, which was also discovered on the Steam partner portal.

Editors' Recommendations

The best free-to-play games for 2021

Spellbreak player rushing through poison cloud.

The best games on Steam

Hunters in front of a monster in Monster Hunter World.

Ditching your Switch for a Steam Deck? Here are 7 alternatives to Nintendo games

nintendo switch alternatives steam deck bug fables town

The best free games on Steam in 2021

Yareli Warframe riding a K-Drive

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

Best 70-inch Black Friday TV Deals for October 2021

The Samsung 70-inch Class 7 Series 4K TV in a living room.

iPad stock is drying up for holiday shoppers — here’s the proof

iPad Pro on a desk with other Apple devices and accessories.

Best Buy Black Friday TV Deals for October 2021

Vizio V Series

Best Black Friday Beats Headphones Deals for October 2021

Glow-in-the-dark Powerbeats 4

Samsung Galaxy S22: Everything we know so far about Samsung’s next big flagship

Galaxy S22 Ultra leaked render.

It’s time for a Marvel-style video game crossover universe

Sora and Mario shake hands in Super Smash Bros. Ultimate.

This titanium, connected G-Shock is a $1,650 sci-fi-inspired design masterpiece

The G Shock GMWB5000TVA on the wrist.

Apple Black Friday Deals 2021: Deals you can shop today

apple black friday deals bfcm2020 201028