Valve patches exploit that allowed free Steam Wallet funds

[Spotty]

Summary

A security researcher discovered an exploit that allowed for unlimited funds to be added to a user's steam wallet, an exploit that would allow someone to purchase any item from the Steam store or items on the Steam marketplace.

After reporting the exploit to Valve via hackerone Valve quickly responded to fix the exploit and awarded a $7500 bounty for reporting the exploit.

 

Quotes

Quote

A security researcher on Hackerone recently submitted an exploit that could be used on Steam to gain unlimited funds. The exploit has since been patched by Valve and the company awarded the user who discovered this exploit $7500.

 

On August 9, Hackerone user Drbrix privately alerted Valve to a Steam Wallet exploit that involved changing your email address and intercepting transactions that use any Smart2Pay payment method. 

 

“I think impact is pretty obvious, attacker can generate money and break the Steam market, sell game keys for cheap etc,” posted Drbrix in their Hackerone report.

 

To view the details on exactly how the exploit worked you can view the hackerone report, which has been made public after it was patched. https://hackerone.com/reports/1295844

 

My thoughts

Damn. This could have actually been pretty devastating for Valve if it had not been reported. Credit to the researcher who reported it responsibly.

 

I'm sure Valve would have been able to track any suspicious transactions or suspicious steam wallets, so adding 50 million dollars to your steam wallet probably wouldn't get you very far. More normal smaller ransactions might have slipped under the radar though. I bet Valve are now investigating to see if this exploit had been actively used.

 

$7500 bounty seems low for an exploit that could have caused this much damage in my opinion, though on hackerone bugs/exploits in Steam that are ranked 'critical' have a listed payout of $7500. Compared to other large platforms like Google, Apple, and perhaps the most appropriate comparison Epic Games Store these payouts for Steam seem low, but regardless it's still good that Valve is encouraging responsible disclosure practices for security vulnerabilities and they were quick to respond and patch it.

Quote

Rewards

The following reward tables are based on Valve's severity assessment, as described above.

Steam

Critical	High	Medium	Low
$7,500	$2,500	$750	$200

CS:GO, Dota2, Team Fortress 2, Dota Underlords, Artifact, Half-Life: Alyx

Critical	High	Medium	Low
$7,500	$2,500	$750	$200

Left 4 Dead 2, Left 4 Dead

Critical	High	Medium	Low
$2,500	$750	$200	$100

Portal 2, Portal, Counter-Strike: Source, Half-Life 2 titles

Critical	High	Medium	Low
$1200	$500	$200	$100

 

 

Sources

https://kotaku.com/valve-patched-a-steam-exploit-that-let-users-add-unlimi-1847490455

https://hackerone.com/reports/1295844

https://hackerone.com/valve?type=team

[Skiiwee29]

From what I read last night in a fog of sleep eyes, Hackerone is a white hat hacking community/company that gets contracted by companies to find exploits like these, so it makes sense it would be reported appropriately. 

[Master Disaster]

I half expected the report to start with..

 

"Hello viewers, I'm the spiffing brit and today I'm going to tell Valve how I broke their wallet system to gain infinite money so sit back, make sure you're comfy and have a nice warm cup of Yorkshire tea ready"

[Quackers101]

inb4 they have a account bug again and personal details are stolen

[Fasterthannothing]

Lol $7500 for unlimited funds seems cheap. Like imagine if Amazon had this same exploit and their like yeah best I can do is $7,500 for making sure people can't buy a million dollars in gift cards for $1

 

[Master Disaster]

8 minutes ago, SlidewaysZ said:

Lol $7500 for unlimited funds seems cheap. Like imagine if Amazon had this same exploit and their like yeah best I can do is $7,500 for making sure people can't buy a million dollars in gift cards for $1

 

On the flip side its ~3 months average salary in the US for doing something he probably would have done anyway plus if it got to the point where someone is stealing millions and nobody noticed then there are larger problems than the exploit to worry about.

[poochyena]

14 minutes ago, Caroline said:

reports it to valve instead of sharing it with people who can't afford any games

Games are easily the cheapest form of entertainment that isn't free

[Quackers101]

27 minutes ago, poochyena said:

Games are easily the cheapest form of entertainment that isn't free

depends, other media seems to be cheaper and doesnt need the amount of storage and components to run.

Although some of the subscriptions both for shows and games can be cheap, until many parts of the chain wants various payment options or getting you into other subscriptions.

[MultiGamerClub]

55 minutes ago, Caroline said:

reports it to valve instead of sharing it with people who can't afford any games

 

I mean.. Would it be better to let people exploit this for their own gain and make the market crash? Think i have some 500+ digital and physical games all together..

And if you cant pay, save up or.. You know if you know.

[Brooksie359]

3 hours ago, poochyena said:

Games are easily the cheapest form of entertainment that isn't free

Or it could literally be free. I mean fortnite is 100% free if you choose to not pay for skins same with league of legends and many other games out there so it's kinda hard to feel bad because someone can't pay for AAA games when there are plenty of gaming experiences that are either free or relatively cheap. I would almost go as far as to say that my most played games are all either free or I paid 20 bucks or less for. It turns out that I find most of the really great games with great replay ability generally aren't your AAA games but indie type games with really fun core mechanics or free to play competitive games. 

[Vishera]

I love white hat hackers,they are awesome and legal!

[Vishera]

10 hours ago, James Evens said:

@Vishera Depends and then you have "professionals" like the German party CDU which thanked with a criminal investigation:

https://www.translatetheweb.com/?from=&to=en&dl=en&ref=trb&a=https%3A%2F%2Fwww.ccc.de%2Fde%2Fupdates%2F2021%2Fccc-meldet-keine-sicherheitslucken-mehr-an-cdu

Valve gives $7500 and the CDU files for a criminal investigation?! - That's wrong on so many levels.

Still,a criminal investigation only check and looks for illegal activities.

The CCC are not in jail so authorities didn't find anything criminal here.

[Mark Kaine]

17 hours ago, Vishera said:

I love white hat hackers,they are awesome and legal!

i knew a white hacker, actually worked for Sony. Turns out, he was just a hacker and I never liked him from the get go. (and yeah, he really worked for Sony… happened all right before a cetain "outage" too… not sus at all lol)

 

But i get it, they generally  are the good guys. If they are what they say, this is.

[Quackers101]

29 minutes ago, Mark Kaine said:

But i get it, they generally  are the good guys. If they are what they say, this is.

Never trust hackers.

[Gohardgrandpa]

This exploit is probably how the grey area websites that sell key codes get them

[Spotty]

1 minute ago, Gohardgrandpa said:

This exploit is probably how the grey area websites that sell key codes get them

If you buy games direct from the Steam store the game is automatically added to your library. You can buy as a gift for a friend but that sends it to their library, it doesn't give a key as far as I remember. You normally only get keys when purchasing the game outside of steam. I don't think there's a way to buy using steam wallet funds where it gives you a CD key? I could be wrong though.

 

I think a lot of grey market keys are bought in countries where the game is sold at a cheaper price then resold in more expensive markets or are simply bought with stolen credit cards. 

[MultiGamerClub]

1 hour ago, Caroline said:

Of course I know.

Haha, think i only saw this program once in my life only for it to vanish out of existence.

 

BT was where i really saw the light open up, or IGG ofcourse..

Didnt even need that stuff in the end. (qBt ftw lol)

(Or some earlier variant of it anyway..)

 

With 20mb/s down and up, movies either it be 720p or 1080p goes fast.

I've stopped getting games the other way, im rather saving up.

But with my car eating up money in repairs, its a long waiting game lol.

[JZStudios]

On 8/16/2021 at 12:37 PM, SlidewaysZ said:

Lol $7500 for unlimited funds seems cheap. Like imagine if Amazon had this same exploit and their like yeah best I can do is $7,500 for making sure people can't buy a million dollars in gift cards for $1

Good Guy Valve.

[SteveGrabowski0]

Kind of surprised that vulnerability wasn't worth $10,000 like the kernel exploits found for the PS4 have been.

[Bombastinator]

Seems like doubling the amount would have been reasonable. It’s a weird number though. Maybe someone just emptied their discretionary fund at him or something. It was what was available.  It is in the interests of the  commercial community to pay white hat hackers well considering the massive sums that get stolen.

[wanderingfool2]

On 8/16/2021 at 11:01 AM, Spotty said:

$7500 bounty seems low for an exploit that could have caused this much damage in my opinion, though on hackerone bugs/exploits in Steam that are ranked 'critical' have a listed payout of $7500

I do agree that it does seem small...but at the same time, I wonder how long it would take steam to figure it out and track back to an account (thus mitigating damages)...I mean, at least where I have worked in the past payments were reconciled at the end of the day, and if someone were exploiting it at my work it would be spotted within 24 hours (and for most part automated).

 

Given you also would require a method of payment to begin with (as it required still a $1 purchase to get the money into the steam wallet), they would have to either use their own credit card (at which point they would be in trouble), or a stolen credit card...at which point they likely have access to more stolen credit cards and could just rack up higher chargers anyways...sure maybe not as much, but still.  Overall, I think it should be worth more than $7500, but I do think there are merits in that it's not as big of a deal potentially

 

What is a bit disturbing is the use of pretty much an un-sanitized...wonder who thought it was a good idea of using a hash to protect inputs but removes all the & symbols and concatenate user inputted variables with generated variables