Skip to main content
  1. Home
  2. Gaming
  3. News

Hacker finds Steam bug that unlocks free games, collects $20K for reporting it

By

Security researcher Artem Moskowsky found a Steam bug that gave him access to infinite free keys for any game on the digital distribution platform, but instead of abusing the exploit, he reported it to Valve for a $20,000 reward.

Moskowsky told The Register that he accidentally discovered the vulnerability while browsing through the Steam partner portal, which is the website where developers manage games that may be downloaded on the platform. The security researcher, who has made a career as a bug hunter, noticed that it was easy to change the parameters of an API request, which gave him activation keys for certain games.

Recommended Videos

The API allows developers to acquire license keys for their games, which they can then pass on to gamers. However, as Moskowsky pointed out, it could have been abused by an attacker who has access to the Steam partner portal to generate an infinite number of activation keys for any game on Steam. It is also pretty easy to pose as a developer to gain access to the partner portal, so practically anybody could have taken advantage of the vulnerability.

Related

Moskowsky said that he entered a random string into the API request to check the severity of the bug. He then received 36,000 activation keys for Portal 2, which is being sold at $10 on Steam, for a total value of about $360,000 in just one command.

The Steam bug has now been recorded on the bug bounty website HackerOne, where it can be seen that Moskowsky reported the exploit to Valve on August 7. Valve took only a few days to patch up the vulnerability, and to award Moskowsky with a $15,000 bounty and a $5,000 bonus.

Valve is lucky that the exploit was discovered by an honest hacker like Moskowsky. The $20,000 reward to Moskowsky is minuscule compared to the possible losses that Steam would have suffered if the bug was widely used by pirates to grab free activation keys for every game on the platform.

Impressively, this is not the biggest bounty that Moskowsky has received from Valve. In July, the security researcher was awarded $25,000 for reporting an SQL injection bug, which was also discovered on the Steam partner portal.

Editors' Recommendations

Topics
Aaron Mamiit
Aaron Mamiit
Contributor
Aaron received a NES and a copy of Super Mario Bros. for Christmas when he was 4 years old, and he has been fascinated with…
Valve reveals which games are verified for the Steam Deck
Factorio running on a Steam Deck.

With Steam Deck expected to reach the hands of customers sometime next month, Valve is publicly labeling which games will and won't work on the mobile PC.

Valve currently has four game classifications on the Steam Deck, with "verified" meaning that players will be able to play a game seamlessly, while "playable" games will require the user to make some changes. A decent number of Steam's games will also be unsupported on the Steam Deck, namely all VR titles listed on the online games marketplace.

Read more
The Steam Deck won’t have any exclusive games, says Valve
Steam's new handheld console, the Steam Deck.

When it launches next year, Valve's Steam Deck will be able to run a suite of PC games, none of which will be exclusive to it. The mobile console, which is really more of a handheld Steam machine, won't have any exclusive games according to Valve.

In a beefy FAQ section for developers, Valve says it won't support exclusive games on its upcoming console. "No, that doesn't make much sense to us," reads an FAQ answer. "It's a PC and it should just play games like a PC." In short, don't expect a "killer app" that's only available on the device.

Read more
Valve is reviewing every game on Steam for the Steam Deck
Two players using Steam Decks to play Stardew Valley.

To make sure that players aren't disappointed once they finally have their Steam Decks, Valve has said it would test every single game on Steam for the handheld console. The statement comes as part of a larger post regarding the Steam Deck's verification process, which grades games based on their performance on Valve's console.

There are four grades that games can get, ranging from Verified, which means a game can simply be played on a Steam Deck with no issue, to Unsupported. While a large number of games will either be Verified or at least Playable, which means users can play the game after some tooling around with controller configuration, a solid chunk of Steam games will be completely unsupported. Specifically, Steam Deck users won't be able to tape the console to their heads and play VR titles, although that should be a given.

Read more