Security researcher Artem Moskowsky found a Steam bug that gave him access to infinite free keys for any game on the digital distribution platform, but instead of abusing the exploit, he reported it to Valve for a $20,000 reward.
Moskowsky told The Register that he accidentally discovered the vulnerability while browsing through the Steam partner portal, which is the website where developers manage games that may be downloaded on the platform. The security researcher, who has made a career as a bug hunter, noticed that it was easy to change the parameters of an API request, which gave him activation keys for certain games.
The API allows developers to acquire license keys for their games, which they can then pass on to gamers. However, as Moskowsky pointed out, it could have been abused by an attacker who has access to the Steam partner portal to generate an infinite number of activation keys for any game on Steam. It is also pretty easy to pose as a developer to gain access to the partner portal, so practically anybody could have taken advantage of the vulnerability.
Moskowsky said that he entered a random string into the API request to check the severity of the bug. He then received 36,000 activation keys for Portal 2, which is being sold at $10 on Steam, for a total value of about $360,000 in just one command.
The Steam bug has now been recorded on the bug bounty website HackerOne, where it can be seen that Moskowsky reported the exploit to Valve on August 7. Valve took only a few days to patch up the vulnerability, and to award Moskowsky with a $15,000 bounty and a $5,000 bonus.
Valve is lucky that the exploit was discovered by an honest hacker like Moskowsky. The $20,000 reward to Moskowsky is minuscule compared to the possible losses that Steam would have suffered if the bug was widely used by pirates to grab free activation keys for every game on the platform.
Impressively, this is not the biggest bounty that Moskowsky has received from Valve. In July, the security researcher was awarded $25,000 for reporting an SQL injection bug, which was also discovered on the Steam partner portal.