Artem Moskowsky told The Register that he found the bug by accident. He had been exploring the Steam developer portal, which is used by game makers to manage their products. An application program interface (API) allows developers to generate activation keys for their titles so they can use them to give to reviewers or for promotions.
Moskowsky discovered that it was quite easy to change the parameters in the API request to get codes for virtually any game regardless of ownership. Those with a developer account could generate as many keys as they wanted for any game hosted on Steam. These activation codes could then be given away or sold by unscrupulous individuals.
“To exploit the vulnerability, it was necessary to make only one request,” said Moskowsky. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”
Anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted.
In one instance he entered a random number into the parameter and received 36,000 keys for Portal 2. To put that in perspective, that attack alone could have potentially cost Valve almost $360,000 in sales of the game.
Fortunately, Moskowsky decided to keep the flaw to himself and reported it to the company on August 7. Valve engineers verified the bug, patched it, and three days later awarded the researcher a $15,000 bounty, plus a $5,000 bonus.
Moskowsky is no novice to cashing in bug bounties. A peek at his HackerOne profile reveals that in the last three years he has exposed 19 flaws to Valve. Most of the awards have been in the $500-$750 range.
This latest was considered a critical flaw and therefore called for a substantial reward. However, it was not Moskowsky's biggest payout from the company. Back in July, he uncovered a critical SQL injection exploit in the same portal that earned him a $25,000 bounty.