PYMNTS-MonitorEdge-May-2024

Valve Squashes Steam Bug That Could Fill Gamers’ Wallets

Steam, Valve, Bug

Video game developer Valve plugged a security bug that could have been used by gamers to fill their Steam wallets with unlimited funds, ThreatPost and other media outlets reported.

A Hackerone security researcher submitted the exploit and was awarded a $7,500 bug bounty for discovering and reporting the critical flaw, according to PVPLive and others on Twitter.

The researcher, who goes by the moniker ‘drbrix,’ found the exploit and was able to keep loading funds into his Steam wallet without actually paying for it. He indicated that the only thing he needed to manipulate Steam’s payment system was an email registered to a Steam account. 

See also: Hackers Putting Crypto Mining Malware Inside Video Games

Adding the numerical dollar figure after the word “amount” — for example, “amount5000” — would trigger those funds to be added to the gamer’s Steam wallet. The researcher indicated that he went through the process just to show it could be done and then disclosed it to Valve, according to reports. 

The bug allegedly worked with payments processed over the smart2pay system. Valve has fixed the issue, which was considered a critical security flaw, and rewarded drbrix with a bug bounty.

Related news: Poly Network Thanks ‘White Hat’ Hacker/Hackers With $500K Reward

Steam Wallet funds can only be used on the Steam platform for in-game purchases, such as merchandise, subscriptions and content. The funds can’t be transferred beyond the network and can’t be traded with other Steam wallet users. There are, however, some untoward methods people can use to turn those funds into real money, according to ThreatPost.

“The bug was exploited by abusing Valve’s own application programming interface (API) used to communicate with the third-party web payment firm Smart2Pay, owned by Nuvei,” according to the article.

drbrix said the hack gave an attacker the ability to interrupt the POST request — used to send data to the API server — sent from Valve to Smart2Pay as it moved across the Valve API.

“We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly,” Valve wrote, thanking drbrix for the tip.

PYMNTS-MonitorEdge-May-2024