Steam, a digital games platform for PC, has patched a potentially disastrous bug that allowed users to download an unlimited number of games for free.
A security researcher named Artem Moskowsky found the bug in Steam’s developer portal that let anyone make license keys without paying. The purpose of the key generation tool is to help developers make license keys for software so that copies can be given to journalists for review or to fans as prizes.
On the other hand, Moskowsky discovered that the request form generated thousands of codes for any game on the store. This meant that if someone wanted to register as a developer, they could get free access to any game on Steam, download thousands of codes, and sell them on the black market for a profit.
Moskowsky told The Register, “I was able to get around the game’s ownership check by changing only one parameter.”
Moskowsky did the right thing by approaching Steam’s owner, Valve, and allowing them to fix the problem. Moskowsky received a $20,000 (£15,500) payout as part of Valve’s bounty program, which rewards hackers for coming to Valve rather than sharing the exploit online.
Valve claims that, based on its logs, no one had exploited the bug before it was patched.
While not quite a zero-day exploit or a massive data breach, if this Steam exploit had fallen into the wrong hands, thousands of developers could have found themselves out of pocket for games they’ve spent years developing. It would also have a significant impact on Steam’s bottom line, as cheap codes would be distributed online with no money going to Valve.