An avid bug hunter has discovered a vulnerability in Valve’s Steam developer portal which, exploited properly, reveals every license key for every game available on the platform. Instead of selling the keys for illicit profit, he reported the flaw to Valve.
Artem Moskowsky discovered the bug in August, but Valve published the news only recently, taking enough time to patch the flaw and make sure it can never be exploited again.
Moskowsky reportedly stumbled across the bug by mistake, while taking an innocent stroll down Valve’s developer site, where game sellers can manage their titles.
The Register reports that the researcher “noticed it was fairly easy to change parameters in an API request, and get activation keys for a selected game in return. Those keys, also known as CD keys, can be used to activate and play games downloaded from Steam. The API is provided so developers and their partners can obtain license keys for their titles to pass onto gamers.”
“This bug was discovered randomly during the exploration of the functionality of a web application. It could have been used by any attacker who had access to the portal,” Moskowsky told the news site.
“To exploit the vulnerability, it was necessary to make only one request,” he added. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”
In one case, Moskowsky says he obtained 36,000 license keys for the relatively old (but still relevant) Portal 2 game, developed by Valve itself. The game retails for $9.99, which (theoretically) would translate into around $359,640 in lost revenue for the developer, if the keys got sold on the black market.
The researcher reported the flaw via HackerOne, the bug bounty program that connects businesses with cybersecurity researchers in an effort to find and fix bugs before unethical hackers beat them to it.
Valve awarded Moskowsky the $15,000 bounty — plus an additional $5,000 because the company felt he deserved an extra bonus for the find. The Register notes that Moskowsky previously got a $25,000 reward for finding a vulnerability in the exact same platform. Looks like ethical hacking does pay!