Steam contained a bug that made it possible to artificially increase the wallet balance. A security researcher discovered this and reported the error to Valve, where they received $7,500. It is not known if the bug was exploited.
To take advantage of this flaw, users had to change the email address associated with their accounts to a variant by adding a “100 amount” and top-up through Dutch payment provider Smart2Pay. Then the POST request had to be intercepted to the Smart2Pay API and the amount could be modified there. For example, a Steam user can add $100 to their wallet by paying just $1. The user had to change their email address back to its original form before submitting the modified request.
security investigator DrBrix describes the steps On the HackerOne bug bounty platform. Details were initially visible to Valve only and were published accordingly after the bug was fixed. Valve admitted that the error represented a “commercial risk”. As a result, the researcher received $7,500.
The researcher showed DrBrix using his own account and some transactions that increased the wallet balance. Whether the flaw was exploited in practice by more Steam users is unknown. Valve tells security site The Daily Swig The error has been resolved in cooperation with the payment provider.
