A Hackerone security researcher submitted the exploit and was awarded a $7,500 bug bounty for discovering and reporting the critical flaw, according to PVPLive and others on Twitter.
A big flaw discovered by a hacker on Hackerone allows users to contribute limitless cash to their Steam accounts. The bug was quickly fixed by Valve. #steam #valvehttps://t.co/xf4W0PacZ0 pic.twitter.com/kEeyR186YL
— PvPLive.Net (@PvPLive_Net) August 18, 2021
The researcher, who goes by the moniker ‘drbrix,’ found the exploit and was able to keep loading funds into his Steam wallet without actually paying for it. He indicated that the only thing he needed to manipulate Steam’s payment system was an email registered to a Steam account.
Valve has fixed an API vulnerability reported by a @Hacker0x01 user drbrix. Hashing function for the API call to add funds removed special characters. Thus a call with amount=100 parameter could be tampered by using e.g. an email address with amount100.https://t.co/WVjiQWLBjz
— APIsecurity.io (@apisecurityio) August 16, 2021
Adding the numerical dollar figure after the word “amount” — for example, “amount5000” — would trigger those funds to be added to the gamer’s Steam wallet. The researcher indicated that he went through the process just to show it could be done and then disclosed it to Valve, according to reports.
The bug allegedly worked with payments processed over the smart2pay system. Valve has fixed the issue, which was considered a critical security flaw, and rewarded drbrix with a bug bounty.
Steam Wallet funds can only be used on the Steam platform for in-game purchases, such as merchandise, subscriptions and content. The funds can’t be transferred beyond the network and can’t be traded with other Steam wallet users. There are, however, some untoward methods people can use to turn those funds into real money, according to ThreatPost.
“The bug was exploited by abusing Valve’s own application programming interface (API) used to communicate with the third-party web payment firm Smart2Pay, owned by Nuvei,” according to the article.
drbrix said the hack gave an attacker the ability to interrupt the POST request — used to send data to the API server — sent from Valve to Smart2Pay as it moved across the Valve API.
“We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly,” Valve wrote, thanking drbrix for the tip.