Valve has happily parted with the sum of £15,000 after a hacker let them know there was a glitch that could allow persons to generate thousands of free keys for any Game on Steam.
Artem Markowsky, a self-proclaimed “bug hunter”, has been doing this sort of research since his school days and has made a job out of finding and reporting flaws.
He stumbled upon the bug in August while looking through the Steam developer site and discovered that it was quite easy to alter parameters in the API request to get activation keys for any game selected as a result.
Luckily for Valve, though, Markowsky did not keep the information to himself and passed it on to the company, who in turn paid him $20,000 for his timely tip.
While the bug was discovered around three months ago, the gaming house only made the discovery public at the end of last month via HackerOne. Markowsky was awarded a $15,000 bounty plus a $5,000 bonus.
“Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access,” Valve reported. “Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.”
"This bug was discovered randomly during the exploration of the functionality of a web application," Markowsky told The Register. "It could have been used by any attacker who had access to the portal."
"To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."
Apparently, the bug could have been a very costly one for Valve, with Markowsky going on to explain that he was able to generate 36,000 keys for Portal 2 – a game which still retails at $9.99 – by entering a random string.
This wasn’t the first time he got a payout from Valve either. The hacker was handed $25,000 from the company for finding an SQL Injection bug in their portal in July.