Hacker that found it made a cool $7500.
Thanks to the work of a white hat hacker, Valve has identified and a eliminated a flaw in their payment system that would allow a bad actor to gain unlimited Steam Wallet funds.
The exploit would’ve allowed someone to turn a $1 deposit into, say, $100, or more. It worked by changing the account’s email to one including “amount100,” and intercepting the message to the payment API. A user going by the name drbrix on HackerOne, a white hat hacking bug bounty site, found and wrote up the exploit, labeling as a medium threat, with the following reason: “I think impact is pretty obvious, attacker can generate money and break steam market, sell game keys for cheap etc.”
After review, Valve updated that threat to critical, paying out the $7500 bounty to drbrix. They said the following in a statement to The Daily Swig:
Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issue without any impact on customers.