Until mid-August this year, it was possible for anyone to steal activation keys for any game on Steam. Fortunately for Valve — and every developer on the company’s platform — the security researcher who discovered the exploit, Artem Moskowsky, decided to give Valve a heads-up. The problem has since been fixed, but man, was it a doozy.
Plans to support the Australian dollar on Steam have been in the works for years. But when the AUD finally appears on the front page, what actually happens? To dispel some of the confusion and concern, I spoke to some developers to help outline what customers can expect next month.Read more
On August 7, Moskowsky reported the issue to Valve via security bounty site HackerOne. While it’s not possible to view the details of the exploit in the report, the following description is provided:
Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access.
Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.
Within four days, Valve had fixed the issue, and awarded Moskowsky a bounty of $US20,000 ($27,682). A few days later, Moskowsky requested the bug be reported publicly, though it took Valve almost two months to agree, with the bug finally made visible on November 1.
Speaking with The Register’s Shaun Nichols, Moskowsky offered some explanation of the problem:
“To exploit the vulnerability, it was necessary to make only one request,” Moskowsky told El Reg. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”
He goes on to say he was able to snag 36,000 keys for Portal 2 using the exploit. That’s a lot of keys.
Valve should be thanking its lucky stars (and Moskowsky) that the bug wasn’t taken advantage of en masse.