Steam bug allowed game developers to generate license keys for free

Valve awarded the flaw hunter $20,000 for disclosing the bug that allowed unlimited access to all games on the Steam platform

Artem Moskowsky, a self-proclaimed bug hunter, receives $20,000 bounty for the discovery of a critical flaw in Steam partner portal API

Security researcher and self-described “bug hunter” Artem Moskowsky accidentally discovered a bug in Steam gaming platform. The glitch allowed any game developer that uses Steam partner portal to retrieve unlimited license keys for any game that is available on Steam.

However, those who thought got a perfect opportunity to harvest thousands of games for free, are too late, as the vulnerability was already patched in August. Upon discovery, Artem Moskowsky did not abuse the system to earn large sums of money but instead reported the flaw to Valve, creator of Steam gaming platform.

The company also awarded the researcher $20,000 for reporting the vulnerability via the HackerOne bug bounty program.^[1] Moskowsky said that he has been searching for security flaws since school times and in the past few years, he is making a living out of the activity.

Steam developer site could have been used by any bad actor

Currently, Steam is the most popular platform in the world, with concurrent users number peaking at 18.5 million.^[2] While there are millions of players using it, there are also thousands of developers hosting their games on the platform with the help of Steam partner portal – the API^[3] used to generate keys and pass them on to gamers or reporters to review.

Artem was visiting the website and discovered the bug accidentally. He noticed that, by slightly changing parameters in the API request, he could acquire license key for a selected game. The flaw could have been abused by anyone who has access to the portal, generating thousands of keys and selling them to players. Moskowsky explains:^[4]

To exploit the vulnerability, it was necessary to make only one request. I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys

He entered a random string and received 36,000 activation keys for a popular puzzle-platform video game Portal 2. It retails for $9.99 on Steam, so the developer would potentially lose $359,640 in revenue.

Valve is grateful for a successful find

Considering a long history of Steam's problems with questionable third-party websites and fake license key scams,^[5] it would not be surprising that many bad actors would find this bug handy for the illegal monetary gain. Additionally, almost any user can become the alleged game developer and obtain access to the Steam partner portal API.

If somebody else but Moskowsky would have found the but and exploited it for their own personal gain, it is possible that it would take Valve sometime before the activity would be stopped. Nevertheless, the internal audit revealed that no such exploitation was taking place in the past.

The bug hunter was happy with the outcome, as he originally was meant to get $15,000 as a reward, but Valve increased this sum by another $5,000 for a successful find. Surprisingly, this is not the biggest bounty Moskowsky received, as he was awarded $25,000 for tracking SQL Injection flaw.