Valve paid the Ukrainian $20,000 for vulnerability on Steam. Bug allowed to generate keys to games for free
The Valve company, which is responsible for the Steam online store, paid $20,000 to the Ukrainian pen-tester Artem Moskovskyi for detecting vulnerabilities. Pen-tester or penetration tester is an information security specialist testing systems with the help of hacking.
In August, Moskovskyi found an error allowing potential attackers to generate license keys for free. The problem relied on the Steam web API. On the partner.steamgames.com/partnercdkeys/assignkeys/ page, it was necessary to set the parameter “0” to one of the required fields. You could use the API through regular accounts. According to Moskovskyi, as part of the test, he generated 36,000 licenses for the game Portal 2.
— Artem (@mskwsky) October 31, 2018
Valve promptly responded to the Moskovskyi’s message and conducted an internal check. According to the company, the attackers did not have time to take advantage of the failure in the API. For the bug detection, the Ukrainian pen-tester was paid $20,000. However, the details of the situation were kept secret until October 31, after which they appeared in the vulnerability branch.
This is not the first time that Moskovskyi receives money from Valve. Previously, the company repeatedly paid him rewards for minor bugs (up to $1,000), and in July, Moskovskyi received $25,000 for a vulnerability that opened an access to the Steam database.