A bug which allowed users to add infinite money to their Steam wallet has been patched by Valve after being reported by a third-party security researcher, though it’s unknown if anyone had used it yet.
Valve has paid a security researcher a bounty of $7,500 (£5,409) after discovering – and reporting – a vulnerability that could be used to add unlimited funds to a Steam wallet.
As spotted by The Daily Swig, the researcher – going by ‘drbrix’ – outlined how potential attackers could have used the exploit to gain free money on the platform. Drbrix submitted his information through Hackerone, where a Valve representative described the report as “clearly written and helpful in identifying a real business risk” and escalated the issue to critical, “reflecting the potential cost to the business”.
As Drbrix explains, any potential attacker would first need to link an email with the term “amount100” to their Steam account.
Following this, they would then proceed to add funds to their wallet as normal, selecting any payment that uses Smart2Pay. The funds added could be as little as £1, as anyone using this exploit would then intercept the POST request (data being sent to the server) and edit it to change the payment amount.
While this would only work when “amount100” was included in the Steam account email, it’s a problem that could have netted criminals thousands in ‘free’ games which could be sold onward as a Steam account.
While Smart2Pay has not yet commented on the caught exploit, a spokesperson for Valve has told The Daily Swig:
“Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issue without any impact on customers.”