Original post of this article
13 August 2021 at 15:06 UTC
Updated: 13 August 2021 at 15:09 UTC
Security researcher earns $7,500 bug bounty after discovering business logic flaw
A security researcher has earned a $7,500 bug bounty after discovering an exploit that could have permitted gamers to boost their in-game Steam wallet balances by artificially increasing the value of deposits.
The ‘unlimited funds’ cheat was promptly triaged by Valve Software – the firm behind the popular Steam gaming platform – and resolved just days after its discovery.
A security researcher with the handle ‘drbrix’ discovered the flaw in Steam and reported it through HackerOne.
In a write up published by HackerOne after the bug was resolved, the researcher describes how an attacker would first have to modify their Steam account email to an address that includes the term “amount100”.
With this in place, a would-be attacker would apply to add funds to their wallet, selecting an option that relies on Smart2Pay as the payment method, before going ahead with a small minimum payment of $1.
Smart2Pay is a Dutch payment services company for web merchants.
If an attacker intercepted the corresponding POST request to the Smart2Pay API, they would find a response that could be edited to change the payment amount, which could be edited to a far larger amount than was actually paid ($100 instead of $1).
The trick only works where “amount100” features in the Steam account email, and this is changed back to its original value before submitting the doctored request.
The flaw in Steam’s payment flow, best described as a business logic problem, was quickly resolved.
In response to requests for comment from The Daily Swig, a spokesperson for Valve Software said: “Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issue without any impact on customers.”
Smart2Pay is yet to respond to a request for comment, so it’s difficult at this point to say what wider lessons, if any, might be drawn from the incident.
We’ll update this story as and when more information comes to hand.