Steam wallet flaw could turn $1 into hundreds

(Image credit: Futurity)

Games on Steam can be pretty expensive, but that'due south not a problem if yous can turn a single dollar into an unlimited amount of funds. Steam recently awarded a $7,500 bug bounty to a security researcher who discovered an interesting — and potentially very lucrative — bug in Steam Wallet. By taking advantage of an online payment visitor'due south API, an enterprising cybercriminal could trick Steam into adding a theoretically unlimited corporeality of coin into a user's account.

That information comes from a highly technical report in HackerOne, via The Daily Swig. Security researcher "drbrix" outlined all of his findings, and disclosed precisely how to have advantage of the bug. (For anyone who was hoping to replicate the play tricks, don't bother; Steam patched it out of existence weeks ago, co-ordinate to comments in the HackerOne thread.)

Play the all-time PC games
Besides attempt the best free PC games
Plus: Later Siege of Paris, I think I'm done with Assassin'southward Creed

Briefly, hither's how the flaw worked: Beginning, a user would open up his or her Steam Wallet, and add together a payment method. One possible method is a Dutch online payment company called Smart2Pay. By modifying the Smart2Pay API straight, drbrix discovered that he could edit the payment corporeality afterwards making whatsoever form of legitimate deposit. In other words: He could pay $1 to Smart2Pay, then convince Steam that he had added $100 to his account.

Apparently, $100 is as high as the modification request would become, merely that means yous could substantially buy 10 brand-new, full-cost games for $half dozen. It'southward non difficult to meet how this flaw could take created a lot of mischief, had anyone ever taken advantage of it in the wild.

The good news is that information technology doesn't seem like anyone took advantage of this exploit, save drbrix while he was testing information technology. The better news is that users don't have to practice annihilation special to set up information technology; the vulnerability was on Valve's stop. It'southward not clear whether Smart2Pay has also patched its API, simply it's as well non clear whether such a patch would be necessary.

For his efforts, drbrix earned a $seven,500 bug compensation from Steam, which a Valve representative cited as "a real business organization run a risk" in the HackerOne comments.

While there's cypher that everyday users need to worry well-nigh hither, this story does serve as a best-case scenario for how companies can address flaws in live software. A researcher establish a flaw, reported information technology through the correct channels, and received a generous bounty for his efforts. Valve acknowledged the event and patched it immediately. There are much more than nightmarish ways this could have gone.

Equally for your own Steam Wallet, the usual precautions use hither. Both Steam and PayPal offer two-factor authentication, and you should utilize both. While y'all won't exist able to plough $1 into $100, you can take advantage of frequent Steam sales to get major titles for relatively little coin.

Marshall Honorof is a senior editor for Tom'south Guide, overseeing the site's coverage of gaming hardware and software. He comes from a scientific discipline writing background, having studied paleomammalogy, biological anthropology, and the history of science and engineering science. After hours, you can find him practicing taekwondo or doing deep dives on archetype sci-fi.