Valve has patched an expensive-sounding exploit that would have allowed Steam users to add unlimited funds to their wallets and build a tremendous backlog of PC games that they would never find the time to play.
The monetary cheat code was uncovered by a hackerone user named drbrix, who earned a $7,500 bug bounty for the discovery.
As explained in their submission dated August 9, drbrix pointed out that an attacker could add unlimited funds to their wallet by exploiting a method that relies on Dutch payment services company Smart2Pay. Modifying a Steam account’s email to include the term “amount100” apparently enabled a trick that could have allowed even minimal payment amounts such as $1 to be changed to any value.
In a statement to The Daily Swig, Valve confirmed that the bug has been squashed after it worked quickly with the payment provider to resolve the issue. Valve also noted that the issue had no impact on customers, which seems to suggest that the infinite money generator was never successfully exploited.
Smart2Pay is yet to respond to a request for comment, so it’s difficult at this point to say what wider lessons, if any, might be drawn from the incident.
Source: The Daily Swig