Security Flaw That Enabled Unlimited Steam Wallet Funds Found And Dealt With

Steam

Hacker that found it made a cool $7500.

Thanks to the work of a white hat hacker, Valve has identified and a eliminated a flaw in their payment system that would allow a bad actor to gain unlimited Steam Wallet funds.

The exploit would’ve allowed someone to turn a $1 deposit into, say, $100, or more. It worked by changing the account’s email to one including “amount100,” and intercepting the message to the payment API. A user going by the name drbrix on HackerOne, a white hat hacking bug bounty site, found and wrote up the exploit, labeling as a medium threat, with the following reason: “I think impact is pretty obvious, attacker can generate money and break steam market, sell game keys for cheap etc.”

After review, Valve updated that threat to critical, paying out the $7500 bounty to drbrix. They said the following in a statement to The Daily Swig:

Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issue without any impact on customers.

About Author

B. Simmons

Based out of Glendale California, Bryan is a GAMbIT's resident gaming contributor. Specializing in PC and portable gaming, you can find Bryan on his 3DS playing Monster Hunter or at one of the various conventions throughout the state.

Learn More →