A Steam bug left them open to massive fraud. The bug would allow players to fill their steam wallets by multiplying their wallet purchases. Security researcher, drbrix, discovered the bug and reported it to HackerOne. HackerOne is a meeting place for businesses and researchers like drbrix. After a few days, the bug was fixed, and drbrix was awarded a $7,500 bug bounty.
This bug was relatively simple. A would-be attacker would create an account with the phrase “amount100” in their email. They then purchase as little as $1 of Steam currency through Smart2Pay. The attacker then intercepts the request to Smart2Pay and changes the amount to $100, as shown in the email name. The rest of the process would continue as usual with the attacker spending $1 and receiving $100.
The “amount100” bug is now fixed as Valve and Smart2Pay worked out the communication loophole. All thanks to the keen eye of drbrix!
Leave a Reply