A security researcher on Hackerone recently submitted an exploit that could be used on Steam to gain unlimited funds. The exploit has since been patched by Valve and the company awarded the user who discovered this exploit $7500.
Hackerone is a site that connects companies like Valve with users who like to hack and tinker with websites, apps, and other pieces of software. These folks can submit exploits and hacks to companies privately and then in exchange, these tech companies can award hackers money for their finds. It’s a system that has a track record of helping squash nasty exploits before they can go public.
On August 9, Hackerone user Drbrix privately alerted Valve to a Steam Wallet exploit that involved changing your email address and intercepting transactions that use any Smart2Pay payment method. You can read about the full method of attack and how it works via the Hackerone report, which became public on August 1o and was spotted by The Daily Swig and NME a few days later.
“I think impact is pretty obvious, attacker can generate money and break the Steam market, sell game keys for cheap etc,” posted Drbrix in their Hackerone report.
As you might expect, Valve quickly responded to Drbrix’s post. A Valve employee on the site named JonP thanked Drbrix for their find and explained that Valve had quickly validated what they reported and was taking steps to fix the issue. A follow-up message from JonP explained that the report was “clearly written” and “helpful in identifying a real business risk.”
Valve then paid Drbrix $7500, which is nice, but doesn’t seem like enough. If this exploit had gone public or had been shared with a few small groups of people, it could have cost Valve a lot more than $7500. Come on, Valve. Last year, Riot was offering people $100k for finding Valorant exploits.
After everything was squared away and fixed, Valve and Drbrix made the full report public. At this time, we don’t know if anyone was able to use this exploit before Valve was notified and patched it.