Valve patches Steam exploit that allowed inflation of wallet funds

Although the Epic Games Store hands out freebies on a frequent basis, Valve's Steam is still the platform of choice for most of the PC gaming community due to multiple reasons including the fact that it's more mature, it regularly offers deep sales, and that it has a massive library on offer. As such, it's particularly interesting to know that Steam actually had a bug which allowed people to add unlimited funds to their wallets.

A Steam logo in the foreground with games logos in the background

The exploit was reported by "drbrix" on HackerOne on August 9. While you can dive deep into the details here, the gist of the matter is that if you had an email ID containing certain strings like "amount100", you could intercept the POST request to your Smart2Pay payment method and artificially inflate its value to receive more funds than what you actually paid for. Essentially, you could make a payment of $1 for Steam wallet funds but change the parameters of the POST request to receive a greater amount instead.

Valve accepted the report on August 10, issued it a "critical" severity rating, and applied a fix. The report indicates that while it is still possible to modify the parameter value in the POST request, this does not impact the amount you receive in return anymore.

The issue has been made public by Valve now that a fix has been applied on its production server. The person who initially informed Valve of the exploit has also been awarded a bounty of $7,500 because their report was "clearly written and helpful in identifying a real business risk". The email substring is important because it was being modified to inflate funds. For example, if your email had the substring "brixamount100", it could be changed to "brix&amount=100" in the POST request to receive more funds. It's currently unclear if the bug was being actively exploited.

Source: HackerOne via Eurogamer

Report a problem with article
Amazon Fire TV
Next Article

Amazon Fire TV Cube and Fire TV Stick get a significant price drop

Microsoft Weekly - August 15 2021 recap
Previous Article

Microsoft Weekly: Humankind on Game Pass, Patch Tuesday, and new Windows 11 builds

8 Comments - Add comment

Advertisement