Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Valve patches exploit that allowed free Steam Wallet funds

Summary

A security researcher discovered an exploit that allowed for unlimited funds to be added to a user's steam wallet, an exploit that would allow someone to purchase any item from the Steam store or items on the Steam marketplace.

After reporting the exploit to Valve via hackerone Valve quickly responded to fix the exploit and awarded a $7500 bounty for reporting the exploit.

 

Quotes

Quote

A security researcher on Hackerone recently submitted an exploit that could be used on Steam to gain unlimited funds. The exploit has since been patched by Valve and the company awarded the user who discovered this exploit $7500.

 

On August 9, Hackerone user Drbrix privately alerted Valve to a Steam Wallet exploit that involved changing your email address and intercepting transactions that use any Smart2Pay payment method. 

 

“I think impact is pretty obvious, attacker can generate money and break the Steam market, sell game keys for cheap etc,” posted Drbrix in their Hackerone report.

 

To view the details on exactly how the exploit worked you can view the hackerone report, which has been made public after it was patched. https://hackerone.com/reports/1295844

 

My thoughts

Damn. This could have actually been pretty devastating for Valve if it had not been reported. Credit to the researcher who reported it responsibly.

 

I'm sure Valve would have been able to track any suspicious transactions or suspicious steam wallets, so adding 50 million dollars to your steam wallet probably wouldn't get you very far. More normal smaller ransactions might have slipped under the radar though. I bet Valve are now investigating to see if this exploit had been actively used.

 

$7500 bounty seems low for an exploit that could have caused this much damage in my opinion, though on hackerone bugs/exploits in Steam that are ranked 'critical' have a listed payout of $7500. Compared to other large platforms like Google, Apple, and perhaps the most appropriate comparison Epic Games Store these payouts for Steam seem low, but regardless it's still good that Valve is encouraging responsible disclosure practices for security vulnerabilities and they were quick to respond and patch it.

Quote

Rewards

The following reward tables are based on Valve's severity assessment, as described above.

Steam

Critical High Medium Low
$7,500 $2,500 $750 $200

CS:GO, Dota2, Team Fortress 2, Dota Underlords, Artifact, Half-Life: Alyx

Critical High Medium Low
$7,500 $2,500 $750 $200

Left 4 Dead 2, Left 4 Dead

Critical High Medium Low
$2,500 $750 $200 $100

Portal 2, Portal, Counter-Strike: Source, Half-Life 2 titles

Critical High Medium Low
$1200 $500 $200 $100

 

 

Sources

https://kotaku.com/valve-patched-a-steam-exploit-that-let-users-add-unlimi-1847490455

https://hackerone.com/reports/1295844

https://hackerone.com/valve?type=team

CPU: Intel i7 6700k  | Motherboard: Gigabyte Z170x Gaming 5 | RAM: 2x16GB 3000MHz Corsair Vengeance LPX | GPU: Gigabyte Aorus GTX 1080ti | PSU: Corsair RM750x (2018) | Case: BeQuiet SilentBase 800 | Cooler: Arctic Freezer 34 eSports | SSD: Samsung 970 Evo 500GB + Samsung 840 500GB + Crucial MX500 2TB | Monitor: Acer Predator XB271HU + Samsung BX2450

Link to post
Share on other sites

From what I read last night in a fog of sleep eyes, Hackerone is a white hat hacking community/company that gets contracted by companies to find exploits like these, so it makes sense it would be reported appropriately. 

PSU Tier List Thread

Please make sure to Quote me or @ me to see your reply!

 

"White Ice"

Ryzen 9 5900x | Asus Crosshair VIII Hero (Wi-Fi) | EVGA RTX 2080ti | Ballistix 32gb 16-18-16-36 3600mhz | Custom Water Cooling Loop | 1tb Samsung 970 Evo

2tb Crucial MX500 SSD | 2x 3tb Seagate Drive | Fractal Design Meshify S2 |  EVGA G2 750w PSU | 3x Corsair LL140 | 3x Corsair LL120

 

Dedicated Streaming Rig

 Ryzen 7 3700x | Asus B450-F Strix | 32gb Gskill Flare X 3200mhz | Corsair RM550x | EVGA GTX 1060 3gb | 250gb 860 Evo m.2

Phanteks Enthoo Evolv |  Elgato HD60 Pro | Avermedia Live Gamer Duo | Avermedia 4k GC573 Capture Card

 

Link to post
Share on other sites

I half expected the report to start with..

 

"Hello viewers, I'm the spiffing brit and today I'm going to tell Valve how I broke their wallet system to gain infinite money so sit back, make sure you're comfy and have a nice warm cup of Yorkshire tea ready"

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites

inb4 they have a account bug again and personal details are stolen 😛

Link to post
Share on other sites

Lol $7500 for unlimited funds seems cheap. Like imagine if Amazon had this same exploit and their like yeah best I can do is $7,500 for making sure people can't buy a million dollars in gift cards for $1

 

Link to post
Share on other sites

reports it to valve instead of sharing it with people who can't afford any games

 

hw2y7L0.jpg

 Finitude is what the two clock hands indicate as they point towards my cruel destiny. 

Link to post
Share on other sites
8 minutes ago, SlidewaysZ said:

Lol $7500 for unlimited funds seems cheap. Like imagine if Amazon had this same exploit and their like yeah best I can do is $7,500 for making sure people can't buy a million dollars in gift cards for $1

 

On the flip side its ~3 months average salary in the US for doing something he probably would have done anyway plus if it got to the point where someone is stealing millions and nobody noticed then there are larger problems than the exploit to worry about.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites
14 minutes ago, Caroline said:

reports it to valve instead of sharing it with people who can't afford any games

Games are easily the cheapest form of entertainment that isn't free

Link to post
Share on other sites
27 minutes ago, poochyena said:

Games are easily the cheapest form of entertainment that isn't free

depends, other media seems to be cheaper and doesnt need the amount of storage and components to run.

Although some of the subscriptions both for shows and games can be cheap, until many parts of the chain wants various payment options or getting you into other subscriptions.

Link to post
Share on other sites
55 minutes ago, Caroline said:

reports it to valve instead of sharing it with people who can't afford any games

 

I mean.. Would it be better to let people exploit this for their own gain and make the market crash? Think i have some 500+ digital and physical games all together..

And if you cant pay, save up or.. You know if you know.

Useful threads: PSU Tier List | Motherboard Tier List | Graphics Card Cooling Tier List (Some times i ninja edit posts after posting!)

ASUS ROG STRIX B350-F Gaming | AMD Ryzen 3600 at 4GHz/1.2vMasterLiquid ML360R RGB | MSI GeForce RTX™ 3080 Ti SUPRIM X | Corsair Vengeance RGB 16GB DDR4 (2x 8GB) 3000 MHz | Corsair RM1000x | Kingston A2000 1TB | Samsung EVO 850 - 500 GB | Samsung EVO Pro 850 - 250 GB Fractal Design R6 Black (Silent) |  Display(s): Samsung Oddesy G7 240hz/1ms, ACER Predator XB271H A 144hz/1ms.

Link to post
Share on other sites
2 hours ago, Skiiwee29 said:

From what I read last night in a fog of sleep eyes, Hackerone is a white hat hacking community/company that gets contracted by companies to find exploits like these, so it makes sense it would be reported appropriately. 

There are up and downsides to this platform. To make it short it is controversial.

Link to post
Share on other sites
3 hours ago, poochyena said:

Games are easily the cheapest form of entertainment that isn't free

Or it could literally be free. I mean fortnite is 100% free if you choose to not pay for skins same with league of legends and many other games out there so it's kinda hard to feel bad because someone can't pay for AAA games when there are plenty of gaming experiences that are either free or relatively cheap. I would almost go as far as to say that my most played games are all either free or I paid 20 bucks or less for. It turns out that I find most of the really great games with great replay ability generally aren't your AAA games but indie type games with really fun core mechanics or free to play competitive games. 

Link to post
Share on other sites

I love white hat hackers,they are awesome and legal!

A PC Enthusiast since 2011
AMD Ryzen 5 2600@3.9GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2085MHz Memory 5000MHz
Cinebench R15: 1382cb | Unigine Superposition 1080p Extreme: 3439
Link to post
Share on other sites
10 hours ago, James Evens said:

@Vishera Depends and then you have "professionals" like the German party CDU which thanked with a criminal investigation:

https://www.translatetheweb.com/?from=&to=en&dl=en&ref=trb&a=https%3A%2F%2Fwww.ccc.de%2Fde%2Fupdates%2F2021%2Fccc-meldet-keine-sicherheitslucken-mehr-an-cdu

Valve gives $7500 and the CDU files for a criminal investigation?! - That's wrong on so many levels.

Still,a criminal investigation only check and looks for illegal activities.

The CCC are not in jail so authorities didn't find anything criminal here.

A PC Enthusiast since 2011
AMD Ryzen 5 2600@3.9GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2085MHz Memory 5000MHz
Cinebench R15: 1382cb | Unigine Superposition 1080p Extreme: 3439
Link to post
Share on other sites
17 hours ago, Vishera said:

I love white hat hackers,they are awesome and legal!

i knew a white hacker, actually worked for Sony. Turns out, he was just a hacker and I never liked him from the get go. (and yeah, he really worked for Sony… happened all right before a cetain "outage" too… not sus at all lol)

 

But i get it, they generally  are the good guys. If they are what they say, this is.

AMD stands for Advanced Micro Machines

-ColdFusion, 2021

Link to post
Share on other sites

@Vishera They actively filed it so they believed it was illegal action.

This is just a few weeks old so it still active/not closed.

Link to post
Share on other sites
29 minutes ago, Mark Kaine said:

But i get it, they generally  are the good guys. If they are what they say, this is.

Never trust hackers.

Link to post
Share on other sites

This exploit is probably how the grey area websites that sell key codes get them

CPU:  Intel i9 10850k @5ghz 

Mobo: Msi Z490 Unify

Cooler: Corsair h115i capellix 280mm

Fans:  5 Corsair ML140 RGB Pro

GPU:  Evga Rtx 3070 XC3 Ultra 

Ram: Corsair RGB Pro 32gb 3600mhz 

Case: Be quiet 500DX

PSU: Corsair rmx750

Storage: 1tb WD Blue NVME, 500gb WD Blue Nvme,, 1tb WD Blue HDD

Display: Msi Mag301RF, 29.5 ips, 200hz, 2560x1080 ultrawide

Mouse: Glorious model D glossy 

Keyboard: Glorious Gmmk compact, Silver speed switches and Glorious aura keycaps

 

Link to post
Share on other sites
1 minute ago, Gohardgrandpa said:

This exploit is probably how the grey area websites that sell key codes get them

If you buy games direct from the Steam store the game is automatically added to your library. You can buy as a gift for a friend but that sends it to their library, it doesn't give a key as far as I remember. You normally only get keys when purchasing the game outside of steam. I don't think there's a way to buy using steam wallet funds where it gives you a CD key? I could be wrong though.

 

I think a lot of grey market keys are bought in countries where the game is sold at a cheaper price then resold in more expensive markets or are simply bought with stolen credit cards. 

CPU: Intel i7 6700k  | Motherboard: Gigabyte Z170x Gaming 5 | RAM: 2x16GB 3000MHz Corsair Vengeance LPX | GPU: Gigabyte Aorus GTX 1080ti | PSU: Corsair RM750x (2018) | Case: BeQuiet SilentBase 800 | Cooler: Arctic Freezer 34 eSports | SSD: Samsung 970 Evo 500GB + Samsung 840 500GB + Crucial MX500 2TB | Monitor: Acer Predator XB271HU + Samsung BX2450

Link to post
Share on other sites
On 8/16/2021 at 2:03 PM, Skiiwee29 said:

From what I read last night in a fog of sleep eyes, Hackerone is a white hat hacking community/company that gets contracted by companies to find exploits like these, so it makes sense it would be reported appropriately. 

This is true.

Workstation:

Ryu Hayabusa:  https://pcpartpicker.com/list/8CcWNP

 

Link to post
Share on other sites
On 8/16/2021 at 5:03 PM, poochyena said:

Games are easily the cheapest form of entertainment that isn't free

my country adding 106% taxes to games:

bdd.jpg

23 hours ago, MultiGamerClub said:

I mean.. Would it be better to let people exploit this for their own gain and make the market crash? Think i have some 500+ digital and physical games all together..

And if you cant pay, save up or.. You know if you know.

Of course I know.

lol-limewire-limewire.gif

 Finitude is what the two clock hands indicate as they point towards my cruel destiny. 

Link to post
Share on other sites
1 hour ago, Caroline said:

Of course I know.

lol-limewire-limewire.gif

Haha, think i only saw this program once in my life only for it to vanish out of existence.

 

BT was where i really saw the light open up, or IGG ofcourse..

Didnt even need that stuff in the end. (qBt ftw lol)

(Or some earlier variant of it anyway..)

 

With 20mb/s down and up, movies either it be 720p or 1080p goes fast.

I've stopped getting games the other way, im rather saving up.

But with my car eating up money in repairs, its a long waiting game lol.

Useful threads: PSU Tier List | Motherboard Tier List | Graphics Card Cooling Tier List (Some times i ninja edit posts after posting!)

ASUS ROG STRIX B350-F Gaming | AMD Ryzen 3600 at 4GHz/1.2vMasterLiquid ML360R RGB | MSI GeForce RTX™ 3080 Ti SUPRIM X | Corsair Vengeance RGB 16GB DDR4 (2x 8GB) 3000 MHz | Corsair RM1000x | Kingston A2000 1TB | Samsung EVO 850 - 500 GB | Samsung EVO Pro 850 - 250 GB Fractal Design R6 Black (Silent) |  Display(s): Samsung Oddesy G7 240hz/1ms, ACER Predator XB271H A 144hz/1ms.

Link to post
Share on other sites
On 8/16/2021 at 12:37 PM, SlidewaysZ said:

Lol $7500 for unlimited funds seems cheap. Like imagine if Amazon had this same exploit and their like yeah best I can do is $7,500 for making sure people can't buy a million dollars in gift cards for $1

Good Guy Valve.

#Muricaparrotgang

Link to post
Share on other sites

Kind of surprised that vulnerability wasn't worth $10,000 like the kernel exploits found for the PS4 have been.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×