Steam Vulnerability Allowing Cash-in of False Money Now Patched

The hacker received $7,500 as bounty for reporting the vulnerability, allowing Valve to patch it.

Thanks to the timely report by an ethical hacker, Valve has patched up a vulnerability that could have allowed people to cash in an unlimited amount of false cash to their Steam accounts.

According to The Daily Swig, a security researcher going by the handle of Drbrix notified Valve last week of the exploit. The vulnerability allowed people to link an email incorporating the terms “amount100” to the address to their Steam account, and use it to fraudulently cash in false money.

Drbrix discovered the exploit as a user of Hackerone, a website that allows white hat hackers to tinker with specific websites’ codes to discover vulnerabilities and weaknesses that black hatters could take advantage of.

Hackerone allows hackers to spot vulnerabilities in certain websites before it becomes public.

The hacker explained in a very detailed report that anyone can use the exploit to cash in only a very minimal amount, and then intercept and edit the transaction to reflect the amount that they desire. These fraudulent transactions will only work if the thieves use the Smart2Pay platform.

If the Steam vulnerability was left unchecked, Valve could lose thousands of money when the false cash are used to purchase games. Hackers could even make more money by selling the Steam account itself.

For his assistance, Kotaku said that Drbrix received a compensation of $7500 from Valve. A username with the handle JonP, who is a Valve employee working in Hackerone, thanked Drbrix for his input and confirmed that his company is working on patching the exploit.

The full report of the exploit can be read in its Hackerone page.

In related news, the team behind Half-Life 2: Update said that Valve has given its go-ahead to release a Half-Life 2: Remastered Collection on Steam. The game is still currently in development, with details like release date still undisclosed.