Gamasutra is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Gamasutra: The Art & Business of Making Gamesspacer
arrowPress Releases

If you enjoy reading this site, you might also want to check out these UBM Tech sites:

Hacker gets $20K from Valve for unearthing bug that generates free Steam keys

Hacker gets $20K from Valve for unearthing bug that generates free Steam keys

November 13, 2018 | By Chris Kerr

Valve has paid a $20,000 'bug bounty' to security researcher Artem Moskowsky after he discovered a bug that would've let people grab Steam game codes for free. 

As detailed by the company on HackerOne, the bug let anyone with access to the Steam partner portal download the previously-generated keys for any game by taking advantage of "specific parameters."

Moskowsky actually discovered the issue back in August, but it took Valve until October 31 to resolve the problem. Even so, Valve claims there's no evidence of the bug being exploited, meaning it managed to escape the notice of someone with less honorable intentions. 

To give you a flavor of how the situation might've unfolded in the worst timeline, Moskowsky told The Register he managed to get his hands on 36,000 keys for Portal 2, which still costs $9.99 on Steam. 

"This bug was discovered randomly during the exploration of the functionality of a web application. It could have been used by any attacker who had access to the portal," he explained. 

"To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."

Luckily for Valve, Moskowsky -- who's established himself as a rather prolific bug hunter -- made the company aware of the problem and gave it plenty of time to cook up a fix. Bullet dodged. 

Related Jobs

Canterbury Christ Church University
Canterbury Christ Church University — Canterbury, England, United Kingdom

Lecturer/Senior Lecturer in Games Design
SideFX — Toronto, Ontario, Canada

Senior Houdini Technical Artist (Games) - Updated
innogames — Hamburg, Germany

Junior Game Designer - Elvenar - Event Design & Live Ops

Loading Comments

loader image