Valve has patched a dangerous exploit that allowed users to artificially add endless funds to their Steam Wallet after an alert from a concerned researcher.
The security researcher, using the name "drbrix," originally published the vulnerability on the site HackerOne on Aug. 9—typically used to report possible security issues in code and explore how to fix them. These "white hat" hackers expose problems for the good of the platform rather than for personal gain. Although, receiving a little monetary gratitude in the form of a "bounty" never hurts.
Fortunately, the exploit was quickly reported to Valve the same day the post went live.
Valve Patches Unlimited Funds Steam Wallet Exploit
According to drbrix, the crux of the issue was allowing hackers to intercept internet traffic containing the correct number of funds and artificially inflating the number. Using the payment platform Smart2Pay, hackers were able to grab the corresponding request and locate a variable that could easily turn $1 into $100 with a few keystrokes.
The key? Hackers would need to create an e-mail with the phrase "amount(number)" somewhere in the address. This allowed the variables within the POST traffic to be editable and therefore, instead of using the real monetary value, the code would instead shift it to the amount equal to the numbers within the e-mail.
Unsurprisingly, the report was quickly marked as "Critical."
Valve acknowledged the report and, after investigating, confirmed the exploit "[was] happening pretty much as described, and are taking steps now." Working together, drbrix and a Valve employee known as "jonp" were able to get the issue under control by the following day. They soon applied a fix that operated just as the company intended.
Both parties agreed to disclose the full report on HackerOne once it had been confirmed as "Resolved." Valve thanked drbrix for their "clearly written and helpful" report. The company paid them a $7500 bounty as a reward for bringing it to light.