ALL THE LATEST NEWS ABOUT THE BUSINESS OF PC GAMES

News

Valve awards security researcher $20,000 after discovering limitless free game codes exploit

Valve awards security researcher $20,000 after discovering limitless free game codes exploit

Valve has awarded security researcher Artem Moskowski $20,000 by Valve for discovering a devastating exploit within Steam's developer accounts.

The issue let users with a developer account generate potentially thousands of game activation keys, for any title on the platform, by changing a single parameter. While testing the flaw, Moskowski was able to create 36,000 keys for Portal 2.

Moskowski reported the exploit to Valve, which runs a bug bounty programme through Hackerone. Valve has since fixed the exploit, for those of you looking to snag some free games.

"This bug was discovered randomly during the exploration of the functionality of a web application," Moskowski told The Register. "It could have been used by any attacker who had access to the portal.

"To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."

This isn’t the first time the researcher has uncovered a flaw in Steam’s service, nor is it his biggest payout from Valve for doing so.

Moskowski’s discovery of an SQL injection bug in the same portal netted him $25,000 back in July.


Tags:
Staff Writer

Natalie Clayton is an Edinburgh-based freelance writer and game developer. Besides PCGamesInsider and Pocketgamer.biz, she's written across the games media landscape and was named in the 2018 GamesIndustry.biz 100 Rising Star list.

Comments

No comments
View options
  • Order by latest to oldest
  • Order by oldest to latest
  • Show all replies