1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Valve awards $20,000 bug bounty for exploit that produced unlimited free games

By Cal Jeffrey · 6 replies
Nov 13, 2018
Post New Reply
  1. Artem Moskowsky told The Register that he found the bug by accident. He had been exploring the Steam developer portal, which is used by game makers to manage their products. An application program interface (API) allows developers to generate activation keys for their titles so they can use them to give to reviewers or for promotions.

    Moskowsky discovered that it was quite easy to change the parameters in the API request to get codes for virtually any game regardless of ownership. Those with a developer account could generate as many keys as they wanted for any game hosted on Steam. These activation codes could then be given away or sold by unscrupulous individuals.

    “To exploit the vulnerability, it was necessary to make only one request,” said Moskowsky. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”

    Anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted.

    In one instance he entered a random number into the parameter and received 36,000 keys for Portal 2. To put that in perspective, that attack alone could have potentially cost Valve almost $360,000 in sales of the game.

    Fortunately, Moskowsky decided to keep the flaw to himself and reported it to the company on August 7. Valve engineers verified the bug, patched it, and three days later awarded the researcher a $15,000 bounty, plus a $5,000 bonus.

    Moskowsky is no novice to cashing in bug bounties. A peek at his HackerOne profile reveals that in the last three years he has exposed 19 flaws to Valve. Most of the awards have been in the $500-$750 range.

    This latest was considered a critical flaw and therefore called for a substantial reward. However, it was not Moskowsky's biggest payout from the company. Back in July, he uncovered a critical SQL injection exploit in the same portal that earned him a $25,000 bounty.

    Permalink to story.

  2. m4a4

    m4a4 TS Evangelist Posts: 1,395   +965

    +1 to this guy for doing the responsible thing (not that it should be seen as a rare quality to have).
  3. ZackL04

    ZackL04 TS Guru Posts: 503   +243

    $20k seems low for this kind of find, considering the article says 100’s of thousands up to millions could have been lost.
  4. texasrattler

    texasrattler TS Evangelist Posts: 614   +231

    Valve, a Billion dollar company giving out pennies to find flaws that their engineers couldn't. On top of that the flaws could potentially cost them millions, cheap *** company. The guy has found like 20 or so flaws in your own company, umm I think you can afford to pay him since he is actually the finding these flaws, something their own team cant even manage. Very sad if you ask me.
  5. bandit8623

    bandit8623 TS Addict Posts: 152   +55

    Seems smart to me. Payout when they are found and not paying another engineer over 100k a year. Smart on valves part.
    Ravey likes this.
  6. ForgottenLegion

    ForgottenLegion TS Guru Posts: 365   +366

  7. tomkaten

    tomkaten TS Maniac Posts: 247   +164

    Wish he told all of us first...

    J/k, guy did the right thing, kudos to him !
    Tonia73986 likes this.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...