Skip to main content
  1. Home
  2. Gaming
  3. News

Hacker finds Steam bug that unlocks free games, collects $20K for reporting it

By

Security researcher Artem Moskowsky found a Steam bug that gave him access to infinite free keys for any game on the digital distribution platform, but instead of abusing the exploit, he reported it to Valve for a $20,000 reward.

Moskowsky told The Register that he accidentally discovered the vulnerability while browsing through the Steam partner portal, which is the website where developers manage games that may be downloaded on the platform. The security researcher, who has made a career as a bug hunter, noticed that it was easy to change the parameters of an API request, which gave him activation keys for certain games.

Recommended Videos

The API allows developers to acquire license keys for their games, which they can then pass on to gamers. However, as Moskowsky pointed out, it could have been abused by an attacker who has access to the Steam partner portal to generate an infinite number of activation keys for any game on Steam. It is also pretty easy to pose as a developer to gain access to the partner portal, so practically anybody could have taken advantage of the vulnerability.

Related

Moskowsky said that he entered a random string into the API request to check the severity of the bug. He then received 36,000 activation keys for Portal 2, which is being sold at $10 on Steam, for a total value of about $360,000 in just one command.

The Steam bug has now been recorded on the bug bounty website HackerOne, where it can be seen that Moskowsky reported the exploit to Valve on August 7. Valve took only a few days to patch up the vulnerability, and to award Moskowsky with a $15,000 bounty and a $5,000 bonus.

Valve is lucky that the exploit was discovered by an honest hacker like Moskowsky. The $20,000 reward to Moskowsky is minuscule compared to the possible losses that Steam would have suffered if the bug was widely used by pirates to grab free activation keys for every game on the platform.

Impressively, this is not the biggest bounty that Moskowsky has received from Valve. In July, the security researcher was awarded $25,000 for reporting an SQL injection bug, which was also discovered on the Steam partner portal.

Editors' Recommendations

Topics
Aaron Mamiit
Aaron Mamiit
Contributor
Aaron received a NES and a copy of Super Mario Bros. for Christmas when he was 4 years old, and he has been fascinated with…
Steam Deck vs. cloud gaming: How do they compare?
Steam Deck being held in two hands.

Before I actually got my hands on a Steam Deck, I was skeptical of the concept. It’s not that I thought it wouldn’t work. In fact, the idea of having my entire Steam library available on a handheld was extremely appealing. My only question was whether or not the gadget was necessary.

Ever since the Nintendo Switch redefined how we play games, companies have tried to replicate its flexibility in their own ways. One of the earliest, and most experimental, attempts was cloud gaming. Companies like Google and Amazon bet big on streaming, envisioning a future where you don’t need a powerful PC or console to run games at all: You just need the devices you already own.

Read more
A new Portal spinoff game is coming to Steam Deck
Aperture Desk Job robot giving thumbs up.

Valve's new portable gaming console, known as the Steam Deck, is finally getting in the hands of players around the world. To coincide with this console release, Valve is releasing a new game set in the world of Portal titled Aperture Desk Job.

Aperture Desk Job Trailer

Read more
3 reasons why the Steam Deck is the ultimate gaming handheld
Factorio running on a Steam Deck.

The first Steam Decks are shipping out to eager customers today, delivering on months of hype for a PC squeezed into a handheld. While reviews are dissecting battery life, performance, and heat, I'm focused on the lesser-talked-about aspects of the Steam Deck: How much Valve has done to improve on previous handhelds.

Nintendo has dominated mobile gaming, at least outside of the massive library of Android games available. Sony has dabbled, but Nintendo created the template for handhelds. And now, Valve is throwing out that rulebook with the Steam Deck.

Read more