Unlimited Money Hack on Steam Wins Security Researcher $7,500 in Bug Bounty

  • A white-hat hacker has found a clever way to get unlimited funds on Steam and reported it to Valve.
  • The exploit involves changing the POST parameters on the API call to the payment provider.
  • The nasty flaw has been fixed now and the researcher received $7,500 for the report.

A hacker has found a clever way to spend $1 in Steam and then bloat the amount to orders of magnitude higher than that, essentially getting access to unlimited money on Steam. Although the platform doesn’t give users the option to withdraw funds, one could very easily make a lot of money by reselling game keys cheaper on third-party sites and continue to do so with little risk of being noticed by Valve’s anti-abuse systems.

The hack relies upon a logic flaw that unfolds in the transaction request. For the trick to work, the actor has to create an email account that contains ‘amount100’ in the address, visit the ‘add funds’ web page on the Steam store and select ‘Smart2Pay’ as a payment method.

Then, the POST request to the payment service needs to be intercepted, and the actor would have to change the parameters. The email part that contains the amount allows the actor to add a new field amount with the desired value, while the actual transaction ID amount parameter would have to change too, like, for example, editing “Amount=2000” to “Amount2=000”. Having done that, the attacker could send the POST request onto the Smart2Pay API, pay $1, and then get $100 as soon as the transaction is approved (in a few hours).

Steam’s engineers quickly confirmed the problem and proceeded to deploy a fix on their production systems, so the bug has been plugged now. If someone tries to reproduce the exploit, they will just not see the spent amount on their balance as it will never pass the transaction checks on the server-side.

The researcher has received a bug bounty of $7,500 for the finding, which was rated as critical (upgraded from medium severity along the way). It is unknown if anyone was actively abusing this bug to get unlimited funds on Steam, and neither Smart2Pay nor Steam gave any statements on it yet.

Latest
How to Watch Selena + Chef Season 4 Online From Anywhere
Our favorite cooking show starring pop star Selena Gomez is back for a brand new season, and we're excited to stream all...
How to Watch Glorious Online From Anywhere: Stream the Horror Thriller Starring J.K. Simmons & Ryan Kwanten
In the mood for horror? A Lovecraftian horror film will soon premiere, and it stars Oscar-winning J.K. Simmons (Whiplash, La La Land)...
How to Watch Pulse Online From Anywhere
Shot in South Africa and Mauritius, Pulse is a sci-fi survival thriller about a group of video game developers who become trapped...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]