Security researcher Artem Moskowsky recently discovered a flaw in Steam that enabled unscrupulous users with access to the developer portal to generate unlimited game keys. But rather than reward himself with a copy of every game on the platform, or generating thousands of Crusader Kings 2 keys to unload through resellers, he brought the problem to Valve's attention and was rewarded with $20,000 for his troubles.
"This bug was discovered randomly during the exploration of the functionality of a web application," Moskowsky told The Register. "It could have been used by any attacker who had access to the portal."
"To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."
To demonstrate the severity of the issue, Moskowsky said he entered a random string into a request at one point and ended up with 36,000 activation keys for Portal 2. At full retail price, that's $360,000 worth of game keys; offload them at a 95 percent discount and you're still making serious book for minimal effort, which is presumably why Valve rewarded him so handsomely for the find.
A more detailed breakdown of the issue is available from HackerOne, a site dedicated to security research and disclosure, and "bug bounty" programs.
"Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access," it says. "Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug."
I won't pretend to know what that means but the site describes the severity of the vulnerability as "critical," complete with a little red bar indicating that this is very serious stuff. Moskowsky reported the issue on August 7, and received his reward—a $15,000 bounty, plus a $5,000 bonus—on August 10. The report was only made public on October 31, however, which is why you're just hearing about it now.
Valve has actually been paying ethical hackers who discover security vulnerabilities on Steam for quite some time now. We first heard about its bug bounty program, and the HackerOne site, in May of this year, but it later came to light that the program had been operating for at least seven months prior to that. Reports of payments on HackerOne go back at least a year, but details on most of them haven't been disclosed. Moskowsky is doing pretty well by it, though: Along with numerous smaller ($500-$750) payments, another critical vulnerability he reported in July earned him $25,000.
