This is Niche Gamer Tech. In this column, we regularly cover tech and things related to the tech industry. Please leave feedback and let us know if there’s tech or a story you want us to cover!
Valve has awarded Artem Moskowsky $20,000 USD for informing them of an exploit that let him get activation codes for any Steam game for free.
Speaking to The Register, Moskowsky – a cyber security researcher and pentester – explained how he was examining the Steam developer site and partner portal. This is where Steam controls what games are available to purchase.
He explained how he easily changed parameters in an API request to gain activation keys for the selected game. “This bug was discovered randomly during the exploration of the functionality of a web application,” he said. “It could have been used by any attacker who had access to the portal.”
On the technical side, he fetched from the /partnercdkeys/assignkeys/” API asking for zero keys- getting many instead.
“To exploit the vulnerability, it was necessary to make only one request,” he added. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”
For example, when entering a random string into the request, he gained 36,000 activation keys for Portal 2.
Moskowsky turned to bug-bounty hunting website “Hackerone” and explained the exploit in a post in August. Just three days later, Valve awarded the $15,000 “bounty” for the exploit and a bonus $5,000. Valve did insist on the report only becoming public on October 31st. Suffice to say, the exploit has been fixed.
This is the second time Moskowsky as helped Valve. Back in July he earned $25,000 for discovering an SQL Injection bug in the same portal.