[ad_1]
Until recently, Steam had an exploit that could have allowed you to add unlimited funds to your Steam wallet. Discovered by security researcher “drbrix”, the showcase allowed users to falsify the value of their deposits by modifying a few words in the email address associated with the account. Valve corrected the exploit, however, and awarded drbrix $ 7,500 (around £ 5,410) for finding it.
The hack allegedly involved a Steam user changing their account email address to include the phrase “amount100”, before adding some money to their wallet using a method through the system. Smart2Pay payment.
This exploit would then allow the hacker to intercept the request sent to Smart2Pay’s servers, allowing them to modify the amount of money they were actually adding. So if they only paid $ 1, they could turn it into $ 100 instead. (Guess it’s technically not “infinite” if you have to pay a little each time, but still!) You can read the full explanation of how it all worked out on HackerOne.
In a thread that has now been made public (as the exploit has been fixed), Valve staff member “jonp” thanked drvrix, rewarding them with the $ 7,500 bonus.
“This was clearly written and helpful in identifying an actual business risk. We changed the assessment from severity to Critical, reflecting the potential cost to the business, and applied a premium accordingly,” said Jonp. “We hope to hear more from you in the future.”
It is not clear if anyone was successful in using this hack before it was fixed, but in a statement to the Daily Swig, Valve said, “Thanks to the person who reported this bug, we were able to work with the payment provider to resolve the issue without impacting customers. ”
All’s well that ends well then. Except for people who might have used this bug in secret, I guess. More gifts for them.
[ad_2]
Source link