Ukrainian vulnerability researcher Artem Moskowsky discovered a bug in Steam’s web API that could have given a malicious user any CD key on the service for free as reported by ZD Net.

Valve’s digital distribution platform has certainly had its share of problems over the years. However, it may have just avoided a potential disaster with the discovery of a critical vulnerability that could have seen countless Steam games walk out the door for free.

The service’s web API is used for developers and affiliates so as to allow them to retrieve their keys after a purchase. If you’ve ever bought a game via a third-party store like Green Man Gaming, Humble Bundle, or the like, you’ve probably activated your key through this API.

Normally, there are security checks in place to ensure that the transaction is legitimate. A simple change to the API’s “keycount” parameter allowed Ukranian vulnerability researcher Artem Moskowsky to retrieve potentially any product activation code that he desired. During his tests, Mr. Moskowsky generated over 36,000 keys for Valve’s Portal 2 without spending a dime.

Artem Moskowsky is a vulnerability researcher. Also known as a “white hat” or “ethical hacker”, vulnerability researchers purposefully attempt to break software just like any other hacker. The difference is in what they do with their findings. Rather than illegally exploit the vulnerability for personal gain, vulnerability researchers will hand over the information to the software developer – often in exchange for a sizeable reward called a “bug bounty”.

Mr. Moskowsky reported the CD key bug to Valve in August via the HackerOne bug bounty platform. It was fixed within the period of a few days. He was only just recently allowed to talk about the vulnerability in public, probably to ensure that the vulnerability was actually closed properly.

It’s unknown if anyone else discovered and made use of the bug prior to the Ukranian researcher’s discovery.

Artem Moskowsky received a $20,000 award for his efforts in successfully discovering and reporting this bug. He had previously collected a $25,000 award from Valve for reporting an SQL injection vulnerability on the platform. He has also collected a number of smaller prizes from the Washington-based software company on the HackerOne platform.

Hard cash is probably a much better payment than a bunch of CD keys, although a less scrupulous individual could have made a kingly sum pawning off illegitimate keys on third-party sites. Mr. Moskowsky has made a decent income this year on other sites like Bugcrowd, and he has stated to ZD Net that he earned $18,000 from the ViaBTC mining pool and $13,300 from Samsung in his bug-bashing efforts.

This was far from the only potentially-costly bug that has popped up on Steam over the years. A 2015 issue with the way that exchange rates were calculated could have seen users walking away with items on the Marketplace for fractions of a penny on the dollar. Another big issue happened on Christmas that year, where personal details of some users were revealed on the Steam store apparently due to an issue with how the site was set to handle caching.

You can follow Artem Moskowsky on Twitter.

What do you think of the idea of bug bounties? What do you think would have happened if a less-honest person had discovered this CD key issue in Steam? Let us know in the comments below!


Robert N. Adams

Senior Writer

I've had a controller in my hand since I was 4 and I haven't stopped gaming since. CCGs, Tabletop Games, Pen & Paper RPGs - I've tried a whole bunch of stuff over the years and I'm always looking to try more!