Skip to main content

Researcher receives $20,000 from Valve as a reward for discovering a Steam exploit

Artem Moskowsky is a security researcher who was awarded $20,000 as a result of discovering a critical Steam bug.

Valve awarded Moskowsky the bounty after the vulnerability was fixed, and it seems to have been a critical one.

The bug was discovered "randomly" in the Steam partner portal, which game developers use to create keys and manage their games published on Steam. By making a simple API request, Moskowsky was able to get valid game keys for many Steam games.

In fact, upon finding the exploit, Moskowsky entered a "random string" into the request and ended up with 36,000 keys for Portal 2.

This could, obviously, easily be exploited by those looking to sell those keys on shady sites. Considering the staggering number of developers with access to this tool, it's not hard to imagine one of the makers of the many fake games on the platform would be interested in the idea.

"To exploit the vulnerability, it was necessary to make only one request," Moskowsky told The Register. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."

The exploit, which was quickly fixed, can be seen on HackerOne - a site tech companies use often to fish for vulnerabilities in their code. Bounties are offered to whomever can identity them. The same researcher even claimed $25,000 from Valve for detecting a different issue in July.

Thanks, Games Industry.

Read this next