Steam games are quite expensive, but that's not a problem when you can turn a dollar into unlimited funds; Steam recently awarded a $7,500 bug bounty to a security researcher who discovered an interesting (and potentially very lucrative) bug in the Steam Wallet. By using the online payment company's API, malicious cybercriminals can trick Steam into adding a theoretically unlimited amount of money to a user's account.
This information comes from a highly technical report published on HackerOne via The Daily Swig. Security researcher "drbrix" outlined all of his findings and disclosed exactly how to exploit the bug. (According to comments in the HackerOne thread, Steam patched the bug a few weeks ago.)
Briefly, here's how the flaw works: first, the user opens their Steam Wallet and adds a payment method. One possible method is Smart2Pay, a Dutch online payment company. by directly modifying Smart2Pay's API, drbrix discovered that he could edit the payment amount after making any form of legitimate deposit. That is, he could pay $1 to Smart2Pay and then have Steam believe that he had added $100 to his account.
Apparently, $100 is the limit for which a correction request can be made, which means, in effect, that one can purchase 10 new full-price games for $6. It is not hard to imagine that if someone had taken advantage of this flaw in the wild, it could have caused a lot of mischief.
The good news is that no one, except drbrix, seems to have taken advantage of this exploit while he was testing it. The even better news is that users don't need to do anything special to fix it; it's not clear if Smart2Pay has patched the API as well, but it's also not clear if such a patch is needed.
For his efforts, drbrix received a $7,500 bug bounty from Steam, but a Valve representative called it a "true business risk" in comments to HackerOne.
While there is nothing for everyday users to worry about here, this story serves as a best-case scenario for companies dealing with live software defects. A researcher found the flaw, reported it through the correct channels, and received a large bounty for his efforts; Valve acknowledged the problem and immediately patched it. There are more nightmarish ways to go about this.
As for your own Steam wallet, the usual caveats apply: both Steam and PayPal offer two-factor authentication, and you should employ both; you can't turn $1 into $100, but with frequent Steam sales, you can get major titles for relatively small amounts.
Comments