Somewhere deep inside Valve’s labyrinthine compound of Steam-sustaining tubes, wires, and pipes, somebody is thanking their lucky stars for Artem Moskowsky. The self-described “bug hunter” came across a glitch that allowed him to generate thousands of free keys for any game on Steam. A lesser person might have kept that knowledge to themselves. He reported it.
Moskowsky discovered and reported the bug back in August, but Valve only allowed the information to go public recently. For his troubles, the company paid him $20,000—as opposed to a lifetime of free games, which is what would’ve happened if this was a feel-good episode of a sitcom.
According to a summary by Valve on bug bounty site HackerOne, the bug took advantage of an issue with Steam’s developer tools. Using “specific parameters,” anyone with access to those tools could make the service spit out keys for games that didn’t belong to them.
Valve said an investigation did not find evidence of the bug actually being misused. That’s good news for Valve, because speaking with tech publication The Register, Moskowsky said that in one case he managed to trick the system into giving him 36,000 keys for Portal 2.
Given Steam’s documented history of problems with sketchy secondhand sites and illicit key scams, it’s not hard to imagine a few scenarios in which scammers might’ve found this bug handy. And given how easy it is to become a developer and gain access to partner tools on Steam these days, I doubt they would’ve had much trouble pulling it off. (Then again, who knows how long it would have been before Valve caught on and shut it down.)
As for Moskowsky, I imagine he’s in pretty good spirits, given that he’s spent the past few months using his digital tweezers to pluck all sorts of bugs from Valve’s back, including one in July that netted him an additional $25,000.