Valve Pays Hacker $20K for Bug That Generated CD Keys

From PC Mag: Steam contained a rather serious security flaw until recently that made it possible for an attacker to generate an activation key for any game available on the digital store with no payment necessary. Luckily for Valve, a security researcher discovered the bug first and has been duly rewarded for reporting rather than exploiting it.

Security researchers spend their days hacking on systems in an attempt to find flaws. With an increasing number of bug bounties out there, it's possible to make a career out of such work. Researcher Artem Moskowsky recently enjoyed a big pay day thanks to a vulnerability he discovered in one of Steam's APIs.

As The Register reports, Moskowsky discovered the vulnerability while using Steam's partner portal. The portal is used by developers to manage their games and access activation keys to share with others. Moskowsky found it was possible to change the parameters of the API Valve uses for handling this functionality, and with the correct change it was possible to generate activation keys for a game. Not just any game, but all games available on Steam.

The reason this worked was apparently due to Valve not properly verifying ownership in the API. Moskowsky could change one parameter to bypass the verification. After that, entering the ID of any game generated a key with which to obtain the game.

View: Article @ Source Site