Although the Epic Games Store hands out freebies on a frequent basis, Valve's Steam is still the platform of choice for most of the PC gaming community due to multiple reasons including the fact that it's more mature, it regularly offers deep sales, and that it has a massive library on offer. As such, it's particularly interesting to know that Steam actually had a bug which allowed people to add unlimited funds to their wallets.
The exploit was reported by "drbrix" on HackerOne on August 9. While you can dive deep into the details here, the gist of the matter is that if you had an email ID containing certain strings like "amount100", you could intercept the POST request to your Smart2Pay payment method and artificially inflate its value to receive more funds than what you actually paid for. Essentially, you could make a payment of $1 for Steam wallet funds but change the parameters of the POST request to receive a greater amount instead.
Valve accepted the report on August 10, issued it a "critical" severity rating, and applied a fix. The report indicates that while it is still possible to modify the parameter value in the POST request, this does not impact the amount you receive in return anymore.
The issue has been made public by Valve now that a fix has been applied on its production server. The person who initially informed Valve of the exploit has also been awarded a bounty of $7,500 because their report was "clearly written and helpful in identifying a real business risk". The email substring is important because it was being modified to inflate funds. For example, if your email had the substring "brixamount100", it could be changed to "brix&amount=100" in the POST request to receive more funds. It's currently unclear if the bug was being actively exploited.
8 Comments - Add comment