- A white-hat hacker has found a clever way to get unlimited funds on Steam and reported it to Valve.
- The exploit involves changing the POST parameters on the API call to the payment provider.
- The nasty flaw has been fixed now and the researcher received $7,500 for the report.
A hacker has found a clever way to spend $1 in Steam and then bloat the amount to orders of magnitude higher than that, essentially getting access to unlimited money on Steam. Although the platform doesn’t give users the option to withdraw funds, one could very easily make a lot of money by reselling game keys cheaper on third-party sites and continue to do so with little risk of being noticed by Valve’s anti-abuse systems.
The hack relies upon a logic flaw that unfolds in the transaction request. For the trick to work, the actor has to create an email account that contains ‘amount100’ in the address, visit the ‘add funds’ web page on the Steam store and select ‘Smart2Pay’ as a payment method.
Then, the POST request to the payment service needs to be intercepted, and the actor would have to change the parameters. The email part that contains the amount allows the actor to add a new field amount with the desired value, while the actual transaction ID amount parameter would have to change too, like, for example, editing “Amount=2000” to “Amount2=000”. Having done that, the attacker could send the POST request onto the Smart2Pay API, pay $1, and then get $100 as soon as the transaction is approved (in a few hours).
Steam’s engineers quickly confirmed the problem and proceeded to deploy a fix on their production systems, so the bug has been plugged now. If someone tries to reproduce the exploit, they will just not see the spent amount on their balance as it will never pass the transaction checks on the server-side.
The researcher has received a bug bounty of $7,500 for the finding, which was rated as critical (upgraded from medium severity along the way). It is unknown if anyone was actively abusing this bug to get unlimited funds on Steam, and neither Smart2Pay nor Steam gave any statements on it yet.