Valve has awarded security researcher Artem Moskowski $20,000 by Valve for discovering a devastating exploit within Steam's developer accounts.
The issue let users with a developer account generate potentially thousands of game activation keys, for any title on the platform, by changing a single parameter. While testing the flaw, Moskowski was able to create 36,000 keys for Portal 2.
Moskowski reported the exploit to Valve, which runs a bug bounty programme through Hackerone. Valve has since fixed the exploit, for those of you looking to snag some free games.
"This bug was discovered randomly during the exploration of the functionality of a web application," Moskowski told The Register. "It could have been used by any attacker who had access to the portal.
"To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."
This isn’t the first time the researcher has uncovered a flaw in Steam’s service, nor is it his biggest payout from Valve for doing so.
Moskowski’s discovery of an SQL injection bug in the same portal netted him $25,000 back in July.