Valve gives $20k as reward for man who found exploit that generated infinite Steam keys

541197-steam-logo-640x360.jpg

Security is highly important for any company, especially Valve, which runs the largest PC gaming storefront: Steam. This of course means that it's up to the team at Valve to make sure everything is secure and safe as can be, for both its customers and itself. Sometimes, though, that's just not enough, which is when freelance system researchers come in, to see if there's any bugs or exploits that they can get through. Enter Artem Moskowsky, a system researcher who had figured out a way to generate unlimited Steam game keys for himself. All this required was for any user with a Steam developer account to make a slight change to a single parameter, which then allowed him to request any number of copies of any game hosted on Steam. Attempting to test if this actually would work, he made a request for 36,000 keys for Portal 2, which he received instantly through the exploit. Moskowsky immediately reported the bug to Valve's team, which was then quickly fixed from ever happening again. Valve awarded him a bounty of $15,000 dollars for finding this massive bug, along with a $5,000 bonus on top of it. This marks the second time that Moskowsky has helped Valve fix a major error within their system, in which he also was rewarded $25,000 for finding an issue that allowed SQL data to be easily read earlier this year.

Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access. Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.

:arrow: Source
 

kuwanger

Well-Known Member
Member
Joined
Jul 26, 2006
Messages
1,510
Trophies
0
XP
1,783
Country
United States
The more important thing is he wasn't sued into oblivion or threatened with decades of jail time after receiving said 36,000 keys and reporting it to Valve. As far as "should have paid him more", you wouldn't pay an internal developer the worth of a possible exploit either. Security researchers being paid such sums, as long as they're being compensated for the efforts within guidelines set by the company, is reasonable. Honestly, Valve and a lot of other companies aren't required to pay out any sort of bounty on bugs, security or otherwise, so I'd consider it a net win for both sides.
 

Zonark

Zonark - Noun - A God
Member
Joined
Jul 11, 2010
Messages
410
Trophies
1
XP
2,307
Country
United States
How is it I'm always last to know about stuff like this? I didn't know anything about infinite steam keys :wtf:
This wasn’t a know bug the dude literally just grinds away at server protocols and finds these bugs. This was never public. I never really thought about digging like this though, would be worth it to help steam I’m glad they are giving rewards.
 
  • Like
Reactions: Saiyan Lusitano

RivenMain

Well-Known Member
Member
Joined
Oct 12, 2016
Messages
228
Trophies
0
Age
29
XP
1,057
Country
United States
g2a games would be like bro I'll give you a cut of all our earnings we need to milk the shit out of it~ lol That is very sad though. If steam can detect false keys it will remove it from ur steam. So I think if anyones buying keys they should consider how dangerous this may be.
 
  • Like
Reactions: Tizm

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Sicklyboy @ Sicklyboy: *teleports behind you* "Nothing personnel, kiddo" +1