Steam is one of the most popular PC gaming platforms available, being a host of some of the most popular games available today. With its frequent use and large userbase, the platform is built to prevent certain exploits to be used. Some of Steam's exploits are patched for good reasons, such as when Valve's old code allowed for access to sensitive information such as passwords and billing information, while others allow for straight-up cheating in some of its games. The latest exploit to be patched could have been potentially one of the most catastrophic to the platform if it wasn't found.
The exploit was found by a group of hackers on a site known as Hackerone. This site allows for hackers to connect with companies like Valve to tinker and hack through its sites, applications, and software. These allow for private communication between the company and hackers to discover any exploits that could potentially endanger its userbase, where these ethical hackers are then rewarded for finding these vulnerabilities before they go public.
The latest report submitted from Hackerone to Valve involves an exploit that allows for users to falsely add infinite money to their Steam wallets. Valve was alerted by this exploit by a user known as drbrix. The bug allowed for a player to receive an "amount100" in their Steam account's email address, which will then intercept payments made in Steam's Smart2Pay system, along with artificially inflating them.
This flaw, as detailed in the report by drbrix, could impact the entire platform of Steam. An example given in the report was an attacker could instantly generate any amount of money they desire, breaking the market by buying and reselling Steam game keys for cheap. As this was an important issue that needed to be resolved on Valve's end, one employee, known as JonP, thanked drbrix for his contribution and confirmed this was a critical issue that Valve would look into.
The hacker was then awarded $7500 for his efforts in finding this exploit, with the problem being resolved rather quickly after its discovery. A spokesman from Valve commented on the matter with The Daily Swig. "Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issue without any impact on customers." Currently there's no word from Valve in regards to if the vulnerability had affected any of its users, if it has been abused by any malicious hackers or if the issue was resolved before things could have gotten out of hand. Regardless, thanks to this hacker, a Steam marketplace crisis has been averted.
Source: Hackerone (via The Daily Swig)