Somewhere deep inside Valve’s labyrinthine compound of Steam-sustaining tubes, wires, and pipes, somebody is thanking their lucky stars for Artem Moskowsky. The self-described “bug hunter” came across a glitch that allowed him to generate thousands of free keys for any game on Steam. A lesser person might have kept that knowledge to themselves. He reported it.
Moskowsky discovered and reported the bug back in August, but Valve only allowed the information to go public recently. For his troubles, the company paid him $US20,000 ($27,727) — as opposed to a lifetime of free games, which is what would’ve happened if this was a feel-good episode of a sitcom.
According to a summary by Valve on bug bounty site HackerOne, the bug took advantage of an issue with Steam’s developer tools. Using “specific parameters”, anyone with access to those tools could make the service spit out keys for games that didn’t belong to them.
Valve said an investigation did not find evidence of the bug actually being misused. That’s good news for Valve, because speaking with tech publication The Register, Moskowsky said that in one case he managed to trick the system into giving him 36,000 keys for Portal 2.
Given Steam’s documented history of problems with sketchy secondhand sites and illicit key scams, it’s not hard to imagine a few scenarios in which scammers might’ve found this bug handy. And given how easy it is to become a developer and gain access to partner tools on Steam these days, I doubt they would’ve had much trouble pulling it off. (Then again, who knows how long it would have been before Valve caught on and shut it down.)
As for Moskowsky, I imagine he’s in pretty good spirits, given that he’s spent the past few months using his digital tweezers to pluck all sorts of bugs from Valve’s back, including one in July that netted him an additional $US25,000 ($34,658).
Comments
7 responses to “Valve Pays $20,000 To Hacker Who Found Steam Bug That Generates Free Games”
You’ve already posted an article on this though.
https://www.kotaku.com.au/2018/11/the-steam-exploit-that-allowed-you-to-get-free-keys-for-any-game/
It was an AU story though, this one’s from the US. They never seem to port AU stories over there, which is a shame.
The Empire tells us the news, not the other way around!
I get that…but surely the editor of this site chooses which stories to bring over and doesn’t just blindly bring them all, right?
Bit disjointing for regular readers to see the same article twice with some slightly different wording. I initially thought this was a further development about it…not just the same story re-written.
So he got some additional work from Valve for his troubles huh?
He must be finding some doozies if he keeps getting 20k a pop!!
Yeah he should have asked for more. I mean, $60 per game is only 333 games to make 20k.
Another interesting question is that if their publiushed tools had this bug and he emploted it. Has he broken the law? I mean their tools allow it…
Well by the sounds of it he’s netted more than 50-75k already from multiple exploits so he isn’t doing too bad depending on time spent (Assuming) and he’s getting his name out there in an industry that’s moving toward subscription services all around.
As for the legality of it, Valve is clearly letting him poke around so he’s not doing anything illegal.
It’s one thing to find an exploit, it’s another to actually exploit it.
Even if Valve went after him, they would need to show his actions cost them instead of saving them.