Skip to main content
  1. Home
  2. Gaming
  3. News

Hacker finds Steam bug that unlocks free games, collects $20K for reporting it

By

Security researcher Artem Moskowsky found a Steam bug that gave him access to infinite free keys for any game on the digital distribution platform, but instead of abusing the exploit, he reported it to Valve for a $20,000 reward.

Moskowsky told The Register that he accidentally discovered the vulnerability while browsing through the Steam partner portal, which is the website where developers manage games that may be downloaded on the platform. The security researcher, who has made a career as a bug hunter, noticed that it was easy to change the parameters of an API request, which gave him activation keys for certain games.

Recommended Videos

The API allows developers to acquire license keys for their games, which they can then pass on to gamers. However, as Moskowsky pointed out, it could have been abused by an attacker who has access to the Steam partner portal to generate an infinite number of activation keys for any game on Steam. It is also pretty easy to pose as a developer to gain access to the partner portal, so practically anybody could have taken advantage of the vulnerability.

Related: 
Best new movies to stream on Netflix, Hulu, Prime Video, Max (HBO), and more

Moskowsky said that he entered a random string into the API request to check the severity of the bug. He then received 36,000 activation keys for Portal 2, which is being sold at $10 on Steam, for a total value of about $360,000 in just one command.

The Steam bug has now been recorded on the bug bounty website HackerOne, where it can be seen that Moskowsky reported the exploit to Valve on August 7. Valve took only a few days to patch up the vulnerability, and to award Moskowsky with a $15,000 bounty and a $5,000 bonus.

Valve is lucky that the exploit was discovered by an honest hacker like Moskowsky. The $20,000 reward to Moskowsky is minuscule compared to the possible losses that Steam would have suffered if the bug was widely used by pirates to grab free activation keys for every game on the platform.

Impressively, this is not the biggest bounty that Moskowsky has received from Valve. In July, the security researcher was awarded $25,000 for reporting an SQL injection bug, which was also discovered on the Steam partner portal.

Aaron Mamiit
Aaron Mamiit
Contributor
Aaron received an NES and a copy of Super Mario Bros. for Christmas when he was four years old, and he has been fascinated…
Topics

Editors’ Recommendations

A new Steam message reminds you that you don’t own your games
The Steam Deck OLED on a pink background.

Players began to notice a new message in their Steam carts on Thursday. Before completing a purchase, they saw a new message situated underneath the "Continue to payment" button, complete with a little computer graphic. It said: "A purchase of a digital product grants a license for the product on Steam," with a link to the subscriber agreement.

In clearer language, Valve finally makes it clear that you don't own the PC games you buy. Instead, you're granted a license for the software.

Read more
Valve has made sharing games on Steam easier than ever
A Steam library filled with custom artwork.

Steam Families is now available to all users, making it easier than ever to share your games library and monitor your child's activity.

The PC gaming platform has had family features for a while, going back to Steam Family Sharing and parental controls like Family View. But Steam Families -- announced in beta in May --  puts them in one hub. It officially went live on Wednesday, and since it's now the weekend, this is a great time to start sharing games.

Read more
A game that’s just about clicking a banana is going viral on Steam
An illustration of a regular banana against an olive green b ackground.

A new game is rising on the Steam most-played charts, and it's not a new battle royale or Call of Duty game. It's a free-to-play clicker game where all you do is click an illustration of a banana.

At the time of this writing, Banana has around 434,000 concurrent players, but it peaked in the past 24 hours at around 480,000. Over the course of the day, it's risen in the charts above Apex Legends, PUBG: Battlegrounds, and Elden Ring, which are all regularly at the top of the Steam player charts. All of this information comes from SteamDB, a third-party site that tracks Steam data.

Read more