The Steam Exploit That Let You Get Free Keys For Any Game

The Steam Exploit That Let You Get Free Keys For Any Game

Until mid-August this year, it was possible for anyone to steal activation keys for any game on Steam. Fortunately for Valve — and every developer on the company’s platform — the security researcher who discovered the exploit, Artem Moskowsky, decided to give Valve a heads-up. The problem has since been fixed, but man, was it a doozy.

What To Expect After Steam Supports The Aussie Dollar

Plans to support the Australian dollar on Steam have been in the works for years. But when the AUD finally appears on the front page, what actually happens? To dispel some of the confusion and concern, I spoke to some developers to help outline what customers can expect next month.

Read more

On August 7, Moskowsky reported the issue to Valve via security bounty site HackerOne. While it’s not possible to view the details of the exploit in the report, the following description is provided:

Using the /partnercdkeys/assignkeys/ endpoint on with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access.

Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.

Within four days, Valve had fixed the issue, and awarded Moskowsky a bounty of $US20,000 ($27,682). A few days later, Moskowsky requested the bug be reported publicly, though it took Valve almost two months to agree, with the bug finally made visible on November 1.

Speaking with The Register’s Shaun Nichols, Moskowsky offered some explanation of the problem:

“To exploit the vulnerability, it was necessary to make only one request,” Moskowsky told El Reg. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”

He goes on to say he was able to snag 36,000 keys for Portal 2 using the exploit. That’s a lot of keys.

Valve should be thanking its lucky stars (and Moskowsky) that the bug wasn’t taken advantage of en masse.

#391217: Getting all the CD keys of any game [HackerOne, via The Register]


  • Wow $20k reward seems pretty paltry, if this guy had done the wrong thing and shared this exploit they’d have sued for millions.

    • True, still I reckon not a bad rate for some freelance exploit fixing as long as it didn’t take him ages to find it. Time is money friend!

      • It’s not the only high bounty he’s claimed from Valve this year either. He seems to have had one a few months ago for $25K.

    • And adding on the responses of @nirvesta and @djbear, on top of a tidy pay packet he convinced them to go public with the story.
      I bet he could get a security job with just about any big tech company right now.
      (And with distribution shifting to a subscription and streaming model he’s smart to get his name out there)

Show more comments

Log in to comment on this story!