Valve fixed the vulnerability after a security company’s discovery that could cause Valve to lose a lot of money. Steam is known to be the most popular one among similar platforms. Companies need to be very careful as this could affect the profitability substantially.
However, a Hackerone security researcher named “Drbrix” found an exploit that will allow users to add infinite amounts of money to their Steam wallet.
Drbrix explained how the abuse was done.The first step is to link or modify a Steam account email to something that contains the word “amount100.” Then, user clicks “Add Funds” button and then chooses any Smart2Pay payment method. This includes Paypal services.
The security officer said that the user must intercept the data request sent to the server and change certain parameters to complete the exploit.
In this way, attackers will be able to generate a lot of money to buy as many games as they want in their Steam wallets. Additionally, they could use this vulnerability as a way to sell game keys cheaply, among other nefarious purposes. This is a big problem for Valve.
A Valve employee named “JonP” thanked Drbrix for his efforts to bring this vulnerability to light. In a follow-up statement, JonP said the report was comprehensive and well-written and helped the company find a major vulnerability.
Drbrix was paid $7,500 for his efforts, but with the potential damage the vulnerability could do to the company’s bottom line, Valve needs to pay the security researcher more.
Although the company fixed the vulnerability, we don’t know if some users exploited the vulnerability before it was brought to light.