Until recently, Steam had an exploit that could’ve let you add unlimited funds to your Steam Wallet. Discovered by security researcher “drbrix”, the storefront had a way users could fake the value of their deposits by changing a few words in the email address associated with the account. Valve have patched the exploit now though, and awarded $7500 (around £5410) to drbrix for finding it.
The hack would’ve involved a Steam user changing their account email address to include the phrase “amount100”, before adding a little bit of money to their Wallet using a method that goes through the Smart2Pay payment system.
This exploit would then let the hacker intercept the request being sent to Smart2Pay’s servers, allowing them to alter how much money they were actually adding. So if they just paid $1, they’d be able to turn that into $100 instead. (I guess it’s technically not “infinite” if you have to pay a little bit every time, but still!) You can read the full explanation of how it all worked over on HackerOne.
In a thread that’s now been made public (seeing as the exploit has been fixed), Valve staff member “jonp” thanked drvrix, rewarding them with the $7500 bounty.
“This was clearly written and helpful in identifying a real business risk. We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly,” jonp said. “We hope to hear more from you in the future.”
It’s unclear if anyone managed to use this hack before it got patched, but in a statement to The Daily Swig, Valve said: “Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issue without any impact on customers.”
All’s well that ends well then. Except for the people who might’ve been using that bug in secret, I suppose. No more freebies for them.