2 min read

Steam bug exposes license keys for every game available on platform

Filip TRUȚĂ

November 12, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Steam bug exposes license keys for every game available on platform

An avid bug hunter has discovered a vulnerability in Valve”s Steam developer portal which, exploited properly, reveals every license key for every game available on the platform. Instead of selling the keys for illicit profit, he reported the flaw to Valve.

Artem Moskowsky discovered the bug in August, but Valve published the news only recently, taking enough time to patch the flaw and make sure it can never be exploited again.

Moskowsky reportedly stumbled across the bug by mistake, while taking an innocent stroll down Valve”s developer site, where game sellers can manage their titles.

The Register reports that the researcher “noticed it was fairly easy to change parameters in an API request, and get activation keys for a selected game in return. Those keys, also known as CD keys, can be used to activate and play games downloaded from Steam. The API is provided so developers and their partners can obtain license keys for their titles to pass onto gamers.”

“This bug was discovered randomly during the exploration of the functionality of a web application. It could have been used by any attacker who had access to the portal,” Moskowsky told the news site.

“To exploit the vulnerability, it was necessary to make only one request,” he added. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”

In one case, Moskowsky says he obtained 36,000 license keys for the relatively old (but still relevant) Portal 2 game, developed by Valve itself. The game retails for $9.99, which (theoretically) would translate into around $359,640 in lost revenue for the developer, if the keys got sold on the black market.

The researcher reported the flaw via HackerOne, the bug bounty program that connects businesses with cybersecurity researchers in an effort to find and fix bugs before unethical hackers beat them to it.

Valve awarded Moskowsky the $15,000 bounty — plus an additional $5,000 because the company felt he deserved an extra bonus for the find. The Register notes that Moskowsky previously got a $25,000 reward for finding a vulnerability in the exact same platform. Looks like ethical hacking does pay!

tags


Author


Filip TRUȚĂ

Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.

View all posts

You might also like

Bookmarks


loader