Hacker finds Steam bug that unlocks free games, collects $20K for reporting it

By Aaron Mamiit Published November 14, 2018

Security researcher Artem Moskowsky found a Steam bug that gave him access to infinite free keys for any game on the digital distribution platform, but instead of abusing the exploit, he reported it to Valve for a $20,000 reward.

Moskowsky told The Register that he accidentally discovered the vulnerability while browsing through the Steam partner portal, which is the website where developers manage games that may be downloaded on the platform. The security researcher, who has made a career as a bug hunter, noticed that it was easy to change the parameters of an API request, which gave him activation keys for certain games.

Recommended Videos

The API allows developers to acquire license keys for their games, which they can then pass on to gamers. However, as Moskowsky pointed out, it could have been abused by an attacker who has access to the Steam partner portal to generate an infinite number of activation keys for any game on Steam. It is also pretty easy to pose as a developer to gain access to the partner portal, so practically anybody could have taken advantage of the vulnerability.

Please enable Javascript to view this content

Moskowsky said that he entered a random string into the API request to check the severity of the bug. He then received 36,000 activation keys for Portal 2, which is being sold at $10 on Steam, for a total value of about $360,000 in just one command.

The Steam bug has now been recorded on the bug bounty website HackerOne, where it can be seen that Moskowsky reported the exploit to Valve on August 7. Valve took only a few days to patch up the vulnerability, and to award Moskowsky with a $15,000 bounty and a $5,000 bonus.

Valve is lucky that the exploit was discovered by an honest hacker like Moskowsky. The $20,000 reward to Moskowsky is minuscule compared to the possible losses that Steam would have suffered if the bug was widely used by pirates to grab free activation keys for every game on the platform.

Impressively, this is not the biggest bounty that Moskowsky has received from Valve. In July, the security researcher was awarded $25,000 for reporting an SQL injection bug, which was also discovered on the Steam partner portal.

Topics

Contributor

Aaron received an NES and a copy of Super Mario Bros. for Christmas when he was four years old, and he has been fascinated…

Gaming

Half-Life gets a free update and Steam Deck verification for its birthday

Artwork for the original Half-Life's 25th anniversary.

November 19 marks the 25th anniversary of the original Half-Life, and to celebrate, Valve made a special announcement. No, Half-Life 3 was not announced. But Valve celebrated the anniversary with a massive update to the game on PC and a new documentary detailing its development. The best part: It's all available for free.

Half-Life's 25th-anniversary update incorporates the Half-Life: Uplink demo that Valve gave away as a CD via magazine and hardware manufacturer promotions in the 1990s and introduces many multiplayer maps. That includes four brand-new maps -- Contamination, Pool Party, Disposal, and Rocket Frenzy -- and three more maps that were previously only included in the Half-Life: Further Data CD release: Double Cross, Rust Mill, and Xen DM. It's also now possible to play as a Space Biker, Prototype Barney, Skeleton, and Too Much Coffee Man and use dozens of Further Data sprays in Half-Life: Deathmatch.

Gaming

Counter-Strike 2 is now available on Steam for free after surprise launch

A team groups up in Counter-Strike 2.

With little more than a slight tease beforehand, Valve just launched Counter-Strike 2 on Steam.
Counter-Strike 2 - Launch Trailer
Counter-Strike is Valve's long-running competitive multiplayer shooter series. Counter-Strike: Global Offensive has stayed near the top of Steam's player count charts ever since it launched in 2012. After over a decade of dominance, Valve first announced Counter-Strike 2 as a free, sequel-level upgrade to Global Offensive earlier this year. After some slight teases earlier in the month, Valve finally decided to surprise launch the game on September 27.
Counter-Strike 2 builds upon Global Offensive in Valve's newer Source 2 game engine. Outside of the obvious visual upgrades that change brings, Counter-Strike 2 adds to its predecessor with a new CS Rating system, overhauled maps, and tweaks to core mechanics like smoke grenades and the tick rate at which the first-person shooter operates. Valve also promises that the game features "upgraded Community Workshop tools," so we should get some entertaining Counter-Strike 2 mods.

Valve intends for players to smoothly transition from Global Offensive to Counter-Strike 2 as the game has simply updated to make the transition, and all items players obtained in the former work in the latter. Hopefully, this approach works out better for Valve than it did for Blizzard with Overwatch 2 last year.
Counter-Strike 2 is available now on PC via Steam. It's a free-to-play game, although players can buy a Prime Status Upgrade for $15 that grants buyers the titular moniker. Having Prime Status grants exclusive items, item drops, and weapon cases and makes the game more likely to matchmake you with other Prime Status Counter-Strike 2 players.

Gaming

You can get a Steam Deck for 20% off right now during Steam Summer Sale

Steam Deck running Path of Exile and the S22 Ultra running Diablo Immortal.

If you've been waiting around for the right time to buy a Steam Deck, now is the time to pull the trigger. As a part of the annual Steam Summer Sale, Valve is offering a serious discount on all Steam Deck models. The stellar handheld gaming device hasn't seen a lot of price drops since its release in February 2022, so this is definitely a deal that you should take advantage of if you've been eyeing the mobile gaming powerhouse.

The most impressive Steam Deck model is getting the deepest discount. The 512GB model is dropping from $649 to $520 (20% off) and includes the following bonuses.