A security researcher discovered a dangerous Valve vulnerability allowing malicious users to reveal the license keys for the available content on the store. This means that every computer game or software can be acquired by leveraging it. The expert has disclosed the issue to Valve who have fixed the bug.
The Critical Steam Vulnerability Fixed: Malware Users Could Have Accessed Games for Free
A dangerous Steam vulnerability was recently reported that fortunately was fixed before any abuse is reported. The issue was discovered by a security expert called Artem Moskowsky who disclosed the bug in private to Valve back in August. The problem was fixed by the Steam developers and public acknowledgment was posted when the necessary critical patches were rolled out to the users.
The problem was found within the Steam developer portal which was exploitable into revealing the license keys for published content on the platform. The expert revealed that it was fairy easy to modify the parameters in the API request during network transactions. This allows malicious users to craft custom packets that will return the license key for a given title. Last year Steam and CS:GO users faced serious issue when alarge-scale lobby spam campaign affected the majority of players. Security experts were unable to identify the origins or perpetrators.
The proof-of-concept was done by changing a single parameter that overrides the game ownership status. Once this is done the can acquire the key of any title they specify, effectively being able to download all of Steam’s catalog for free. The news reports indicate that Moskowsky demonstrated that he was able to obtain 36,000 keys for Portal 2. Given the price a simple calculation in this scenario results in $359,640 of lost revenue for Valve.
Upon verifying that the bug is legitimate the researcher was awarded a bug bounty reward through the Hacker One platform. The private disclosure done by the expert guarantees that no malicious user can abuse it. No reports of such claims have been reported. Valve confirmed that the log files sow no records of abuse or intrusion.