Valve gives $20k as reward for man who found exploit that generated infinite Steam keys

541197-steam-logo-640x360.jpg

Security is highly important for any company, especially Valve, which runs the largest PC gaming storefront: Steam. This of course means that it's up to the team at Valve to make sure everything is secure and safe as can be, for both its customers and itself. Sometimes, though, that's just not enough, which is when freelance system researchers come in, to see if there's any bugs or exploits that they can get through. Enter Artem Moskowsky, a system researcher who had figured out a way to generate unlimited Steam game keys for himself. All this required was for any user with a Steam developer account to make a slight change to a single parameter, which then allowed him to request any number of copies of any game hosted on Steam. Attempting to test if this actually would work, he made a request for 36,000 keys for Portal 2, which he received instantly through the exploit. Moskowsky immediately reported the bug to Valve's team, which was then quickly fixed from ever happening again. Valve awarded him a bounty of $15,000 dollars for finding this massive bug, along with a $5,000 bonus on top of it. This marks the second time that Moskowsky has helped Valve fix a major error within their system, in which he also was rewarded $25,000 for finding an issue that allowed SQL data to be easily read earlier this year.

Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access. Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.

:arrow: Source
 

sarkwalvein

There's hope for a Xenosaga port.
Member
Joined
Jun 29, 2007
Messages
8,505
Trophies
2
Age
41
Location
Niedersachsen
XP
11,199
Country
Germany
Congratulations and crisis averted for Steam I guess.
So, people who used that exploit (if there are any) got banned?
Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.
 
Last edited by sarkwalvein,

Juggalo Debo

Well-Known Member
Member
Joined
Feb 2, 2016
Messages
143
Trophies
0
Age
40
Location
Nine Realms
XP
521
Country
United States
20k that he can put to a down payment on a house at least, or even buy a new car, depending on the model. You kids and your talk of buying games with 20k. *psshh*
I was thinking the same thing.... I was looking at it going damn that would help out with my adulting..... lol good find
 

supersonicwaffle

Well-Known Member
Member
Joined
Oct 15, 2018
Messages
262
Trophies
0
Age
37
XP
458
Country
Germany
Yet they can't afford some people to have some game quality check on the crap some people upload






or just don't care

Or, they're just making the best out of a bad situation. As much as people would like to see curation, imagine what would happen if a game like Depression Quest didn't meet the standard, the shitstorm that would ensue would be much worse, especially considering the stance games media has taken.
Ultimately I trust consumers more to look into what they're buying and making use of the refund option than I trust people not to be offended
 

Vieela

GBATemp's official thinker™
Member
Joined
Jan 18, 2017
Messages
562
Trophies
0
XP
935
Country
Brazil
How did this exploit even happen? This is literally such a gigantic flaw... Steam is just so damn lucky to have someone actually reporting it, or else, this could've gone waaaaaay wronger.
 
  • Like
Reactions: Itzumi

Kigiru

Well-Known Member
Member
Joined
Aug 11, 2017
Messages
206
Trophies
0
Age
31
XP
436
Country
Poland
Glad to see people getting an actual payment for what is supposed to be job of coders and software testers. Considering the scale and impact of such exploit i think that 20k is fair amount of money.
 

pustal

Yeah! This is happenin'!
Member
Joined
Jul 19, 2011
Messages
1,556
Trophies
2
Location
Emerald Coast
Website
web.archive.org
XP
6,102
Country
Portugal
With the amount of sales you could buy with that money, you could argue that he still has infinite keys lol

I can sympathize with you @Sonic Angel Knight if I used Steam. But nice going for the guy 20k.

20K can buy a ton of games...

20k is nothing for this kind of info. He sold cheap. If he does this for a living remember he has to pay his bills and 20k is hardly a boost for such privilege information. I had friends that were offered 300k for debatable less impact security info.

...traitor...

And why would he be a traitor? Were you or anyone else involved in the work to find the exploit?
 

eyeliner

Has an itch needing to be scratched.
Member
Joined
Feb 17, 2006
Messages
2,879
Trophies
2
Age
44
XP
5,467
Country
Portugal
20k is nothing for this kind of info. He sold cheap. If he does this for a living remember he has to pay his bills and 20k is hardly a boost for such privilege information. I had friends that were offered 300k for debatable less impact security info.
It depends. This isn't national security or bank account info. No personal data is transfered. At most, this would raise a flag for the amount of free keys a developer was requesting, and the hassle it would generate.
Not at all a breaking issue.
 
  • Like
Reactions: Subtle Demise

Ev1l0rd

(⌐◥▶◀◤) girl - noirscape
Member
Joined
Oct 26, 2015
Messages
2,004
Trophies
1
Location
Site 19
Website
catgirlsin.space
XP
3,441
Country
Netherlands
y4m5J4i6gpLJrbH0kb8x5qea6-1fN5ctrXY-GOnxsVmKUA_WpY8mk1igKPSwX3WhaIFjwBp2zvL1xtOUgdcY92boqn0wfcz6QTc-_p5Tq3tiBa0KmQecjBiAaLw8fIdxdVnfuHfBPjkQPd2GaQM9fEUPneRSrNPYGrToJrH5nVZDeeaMaGBbI6xjN09YezJJcCkdhjjy706tvUmTvaQ_F1HPA

In all seriousness, it appears that this required a Steam developer account? While not a very high bar, I would think that it would prevent most of us normies from exploiting it anyways. :P
Except Valve has made the steam store a free for all, so a developer account is just 100 bucks away if I'm not mistaken (the price of getting a game through Steam Direct).
 

leon315

POWERLIFTER
Member
Joined
Nov 27, 2013
Messages
4,097
Trophies
2
Age
124
XP
4,070
Country
Italy
20k that he can put to a down payment on a house at least, or even buy a new car, depending on the model. You kids and your talk of buying games with 20k. *psshh*
man, that proves u are the only few grown adult among a forum full of kids who just live in their mother's house and they think nothing but games whole the day.
 
Last edited by leon315,

leon315

POWERLIFTER
Member
Joined
Nov 27, 2013
Messages
4,097
Trophies
2
Age
124
XP
4,070
Country
Italy
The more important thing is he wasn't sued into oblivion or threatened with decades of jail time after receiving said 36,000 keys and reporting it to Valve. As far as "should have paid him more", you wouldn't pay an internal developer the worth of a possible exploit either. Security researchers being paid such sums, as long as they're being compensated for the efforts within guidelines set by the company, is reasonable. Honestly, Valve and a lot of other companies aren't required to pay out any sort of bounty on bugs, security or otherwise, so I'd consider it a net win for both sides.
Just wondering, those steam keys found in the wild are far cheaper than Steam's, where did they get keys at ridiculous price? I suspect that this guy is not the only one awared of this exploit....
 

lordelan

Well-Known Member
Member
Joined
Jan 4, 2015
Messages
5,768
Trophies
1
Age
44
XP
6,473
Country
Germany
He could have become a millionaire by selling keys for the rest of his life (of course doing it smart and not too obvious).
Nice move to report that bug instead.
 
  • Like
Reactions: Subtle Demise

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    maaaaan that's so awesome but I also don't want to fork over a hundo for it
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Leo could not withstand communism.
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
    SylverReZ @ SylverReZ: Its OUR products to begin with lol.