Valve correction error allowing Steam Wallet to be overloaded – Computer


Steam contained a bug that allowed the wallet balance to be artificially increased. A security researcher discovered this and reported the error to Valve, where they received $ 7,500. It is not known if the bug has been exploited.

To take advantage of this loophole, users had to change the email address associated with their accounts to a variant by adding an “amount 100” and reloading it through Dutch payment provider Smart2Pay. Then, the POST request had to be intercepted to the Smart2Pay API and the amount could be modified there. For example, a Steam user can add $ 100 to their wallet by paying only $ 1. The user had to return their email address to its original form before submitting the amended request.

DrBrix security investigator describes the steps on the HackerOne bug bounty platform. Details were initially only visible to Valve and were released accordingly after the bug was fixed. Valve admitted that the error represented a “business risk”. As a result, the researcher received $ 7,500.

The researcher showed DrBrix that he uses his own account and certain transactions that increase the wallet balance. It is not known whether the flaw has been exploited in practice by more Steam users. Valve tells security site The Daily Swig The error was resolved in cooperation with the payment provider.

Leave A Reply

Your email address will not be published.