Valve is no stranger to bug bounties, often offering payments to security researchers and experts who find bugs within Steam and report them through programs like HackerOne. This time around, someone found a particularly big issue that allowed unlimited Steam Wallet funds to be added to an account – an issue that has now been fixed.
The vulnerability, which was submitted to Valve through HackerOne, could allow an attacker to generate Steam wallet funds by changing their Steam account email and abusing a loop hole on payment methods that use Smart2Pay as the provider. It’s a long and somewhat complicated process, so it doesn’t seem like this vulnerability was abused, but nonetheless, Valve picked up on the report last week and validated the researcher’s claims.
The fix for the issue also went live on Steam’s backend last week, which is why the vulnerability has now been made public. In exchange for the work in finding and reporting this vulnerability, Valve paid a $7,500 bounty fee.
A Steam Wallet vulnerability like this is particularly important to clamp down on now that Valve is selling hardware, which unlike software on Steam, can’t be revoked after purchase. Fake funds generated could have been used to order physical products, like the Steam Deck and the Valve Index, which could then be sold on for free profit. Fortunately for Valve, this scenario has now been avoided.
Discuss on our Facebook page, HERE.
KitGuru Says: Steam tends to be quite secure, so it is noteworthy when a bug like this is revealed.