A Valve exploit was recently patched after a security researcher brought to light a vulnerability that could potentially lead the company to lose a lot of money.
It is without a doubt that Valve’s Steam platform is the most popular and recognizable among similar services out there. So, it goes without saying that anything that might affect the company’s bottom line would be given much attention.
That said, a Hackerone security researcher with the handle “Drbrix” has found an exploit that would let users add infinite amounts of money into their Steam wallets.
The Exploit
Drbrix explained how the exploit is done. The first step is to link or change a Steam account email to something that contains the term “amount100.” It could be anything so long as the email contains the exact term.
Next, go and click “Add Funds” and then select any Smart2Pay payment method. This includes services like Paypal and Skrill.
The security researcher continued that the user must intercept a POST request, which is essentially the data sent to the server, and change certain parameters to complete the exploit.
Drbrix said that this is problematic for Valve because attackers can generate much money in their Steam wallets to buy as many games as they want. In addition, they could use this vulnerability as a means of selling game keys for cheap, among other nefarious purposes.
Because this is a potentially huge issue for Valve and possibly even to legitimate users, the security researcher told the company about the exploit. Thankfully, the company has responded.
A Valve employee that goes by the name “JonP” thanked Drbrix for their efforts in bringing this vulnerability to light. In a follow-up statement, JonP said that the report was thorough and well-written and has helped the company find a “real business risk.”
Drbrix was paid $7,500 for their efforts, though with the potential damage that vulnerability might do to the company’s bottom line, Valve needs to pay the security researcher more.
Although the company was able to patch the vulnerability, it is unclear whether some users were able to use this exploit before it was brought to light.
What do you think about the issue? Should Valve have given more money to Drbrix?
