Valve pays researcher $7,500 for discovering exploit that could add unlimited funds to...

[midian182]

Why it matters: An exploit that allowed someone to add unlimited funds to their Steam account has been patched. For discovering the bug, which could have cost the company a fortune, Valve has paid $7,500 to the security researcher who identified it.

As reported by The Daily Swig, a security researcher with the username "drbrix" reported the exploit to Hackerone, a bug bounty platform that connects people who find these bugs with the companies that created the software. It allows the latter to reward the former for identifying problems before they can be exploited by criminals.

drbrix alerted Valve of the exploit on August 9. It worked by changing a Steam account email address to include "amount100," and intercepting the POST request for transactions that use the Smart2Pay payment method to edit the amount from, say, $1 to $100.

"I think impact is pretty obvious, attacker can generate money and break the Steam market, sell game keys for cheap etc," drbrix wrote in their Hackerone report.

A Valve employee called JonP thanked drbrix and said Valve had "validate this is happening pretty much as described."

"Thank you for this report," JonP said. "This was clearly written and helpful in identifying a real business risk. We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly. We hope to hear more from you in the future."

Valve never said if anybody used the exploit before it was patched.

drbrix received $7,500 for his troubles. For comparison, Microsoft's average payout across all its bug bounty programs over the past 12 months was just over $10,000, while the largest single award was $200,000.

In other Valve news, the company recently updated its official YouTube channel for the first time in eight months with an ad for the Steam Deck.

Permalink to story.

https://www.techspot.com/news/90805-valve-pays-researcher-7500-discovering-exploit-could-add.html

 

[thelatestmodel]

Really depends on a lot of factors, like potential impact, how practical the exploit was to execute in the wild, how difficult it was to patch, etc. $7,500 is less than some but also more than a lot of others.

 

[R00sT3R]

I wonder if Valve will now try and find out if any users took advantage of the exploit to get free games and ask (demand) for payment in full.

...if so, someone could get a bill for thousands of $$$, depending on how greedy the were, to suddenly have the keys to the kingdom, would they have been able to resist going crazy.

 

[m4a4]

I wonder if Valve will now try and find out if any users took advantage of the exploit to get free games and ask (demand) for payment in full.

...if so, someone could get a bill for thousands of $$$, depending on how greedy the were, to suddenly have the keys to the kingdom, would they have been able to resist going crazy.

I would imagine so. Stealing through an exploit is still stealing.

Dunno why you wouldn't just torrent the games in that case (as you risk losing your Steam account and everything you've bought)...

 

[Plutoisaplanet]

Really depends on a lot of factors, like potential impact, how practical the exploit was to execute in the wild, how difficult it was to patch, etc. $7,500 is less than some but also more than a lot of others.

This is how it works:

It worked by changing a Steam account email address to include "amount100," and intercepting the POST request for transactions that use the Smart2Pay payment method to edit the amount from, say, $1 to $100.

That's super easy to do; I have experience with this kind of thing. All you need is a browser and Fiddler. You could even repeatedly script it with a combination of Fiddler and Selenium IDE.

But whoever wanted to profit off it would probably want to stay under the radar so it doesn't get exploited, so that probably means only redeeming a limited number of games each day from each account/IP. Then just sell the games on G2A for pure profit.

 

[Nobina]

Oh, come on, Valve probably wipe their asses with $7500. They could've payed much more than that.

It could be that they don't want to attract more people into finding exploits by offering loads of money.

 

[Shadowboxer]

$7500 is pathetic. Valve pay their staff far more and they didn’t find this exploit. Also if anyone finds an exploit in steam that can make more than $7500 they will keep their mouths shut.

 

[bviktor]

Oh, come on, Valve probably wipe their asses with $7500. They could've payed much more than that.

It could be that they don't want to attract more people into finding exploits by offering loads of money.

You're sitting backwards on this. People try to find exploits whether companies want them or not. The idea of bounty programs is that it is better to pay people for finding and reporting exploits and fixing them than having people actually actively exploit your systems.

 

[Nobina]

You're sitting backwards on this. People try to find exploits whether companies want them or not. The idea of bounty programs is that it is better to pay people for finding and reporting exploits and fixing them than having people actually actively exploit your systems.

I know the idea of bounty programs, I'm just throwing this out there since I know Valve tends to make weird decisions.

 

[NightAntilli]

That's miserable. Better than nothing obviously... But this will fix the bug for eternity, and $7500 is nothing. I would have preferred a 0.1% profit cut or 0.01% revenue cut for the rest of Steam's existence. Or at worst, a set amount of time.

 

[Markoni35]

"A security researcher"?? You mean White Hat Hacker?

And yes, $7500 is really cheap. They should have paid him at least $20,000. Because he could have used that hole to sell credits for Steam accounts at 50% discount, and he'd earn a lot more.

 

[IksPiks]

$7500. Wow. I definitely see this as an incentive for hackers to find more holes and exploit them, ASAP, for as long as they can.
And so they should.
Valve is disgusting.