Artem Moskowsky is a safety researcher who was awarded $20,000 on account of discovering a important Steam bug.
Valve awarded Moskowsky the bounty after the vulnerability was mounted, and it appears to have been a important one.
The bug was found “randomly” within the Steam accomplice portal, which game builders use to create keys and handle their games revealed on Steam. By making a easy API request, Moskowsky was capable of get legitimate game keys for a lot of Steam games.
In truth, upon discovering the exploit, Moskowsky entered a “random string” into the request and ended up with 36,000 keys for Portal 2.
This may, clearly, simply be exploited by these trying to promote these keys on shady websites. Considering the staggering variety of builders with entry to this instrument, it’s not exhausting to think about one of many makers of the various faux games on the platform would have an interest within the concept.
“To exploit the vulnerability, it was necessary to make only one request,” Moskowsky advised The Register. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”
The exploit, which was rapidly mounted, might be seen on HackerOne – a website tech firms use typically to fish for vulnerabilities of their code. Bounties are supplied to whomever can id them. The identical researcher even claimed $25,000 from Valve for detecting a unique situation in July.
Thanks, Games Industry.
Source
