Steam Bug Allowed Games to be Downloaded for Free - [security]
(amigo) - 10:01 AM EST - Nov,12 2018 - post a comment
Researcher Artem Moskowsky found a bug in Steam that let users download "previously-generated CD keys for a game which they would not normally have access." The bug was submitted to Valve
on August 7, quickly fixed on August 10, and publicly disclosed on October 31. Valve was quick to point out that their "audit logs were not bypassed using this method," and that they didn't see any evidence that the bug was exploited in the wild. Moskowsky claimed a $20,000 bounty for his efforts, and he told The Register
that he was somewhat impressed with Valve's quick response.
Essentially, anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted, and sell or distribute them for pirates to use to play games from Steam. Fetching from the /partnercdkeys/assignkeys/ API with a zero key count returned a huge bunch of activation keys. "To exploit the vulnerability, it was necessary to make only one request," Moskowsky told El Reg. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys." How severe was the flaw? Moskowski says that, in one case, he entered a random string into the request, to pick a title at random, and in return he got 36,000 activation keys for Portal 2, a game that still retails for $9.99 in the Steam store.