Hacker gets $20K from Valve for unearthing bug that generates free Steam keys
Valve has paid a $20,000 'bug bounty' to security researcher Artem Moskowsky after he discovered a bug that would've let people grab Steam game codes for free.
As detailed by the company on HackerOne, the bug let anyone with access to the Steam partner portal download the previously-generated keys for any game by taking advantage of "specific parameters."
Moskowsky actually discovered the issue back in August, but it took Valve until October 31 to resolve the problem. Even so, Valve claims there's no evidence of the bug being exploited, meaning it managed to escape the notice of someone with less honorable intentions.
To give you a flavor of how the situation might've unfolded in the worst timeline, Moskowsky told The Register he managed to get his hands on 36,000 keys for Portal 2, which still costs $9.99 on Steam.
"This bug was discovered randomly during the exploration of the functionality of a web application. It could have been used by any attacker who had access to the portal," he explained.
"To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."
Luckily for Valve, Moskowsky -- who's established himself as a rather prolific bug hunter -- made the company aware of the problem and gave it plenty of time to cook up a fix. Bullet dodged.