vacancies advertise contact news tip The Vault
facebook rss twitter

Valve patches 'infinite money' Steam client bug

by Mark Tyson on 16 August 2021, 12:11

Tags: Valve

Quick Link: HEXUS.net/qaeqys

Add to My Vault: x

A security researcher has netted a US$7,500 bug bounty by helping Valve close an exploit in its Steam Client software. The exploit would have basically allowed a user to spend willy-nilly throughout the Steam Store thanks to an 'unlimited funds cheat' boosting Steam Wallet deposits. I haven't seen any reports of this bug being exploited in the wild, but it is now patched.

This is an unusual exploit which can be outlined as follows;

  1. A user would need to modify their Steam account email to include the string 'amount100',
  2. Then the user would have to add funds to their Steam Wallet, choosing Smart2Pay as the payment method,
  3. User top-up choice could be as low as US$1,
  4. The user would then have to intercept the corresponding POST request to the Smart2Pay API, where they could edit the credit amount up to $100.

Step 4 sounds a bit technical, and I'm not sure how simple it would have been to execute.

Valve responded to a request for comment from The Daily Swig, saying that "Thanks to the person who reported this bug, we were able to work with the payment provider to resolve the issue without any impact on customers."

Valve Steam Deck infomercial published

After not updating its YouTube channel with new content for eight months, Valve has published a one-minute infomercial which nicely sums up the abilities and attractions of the upcoming handheld hardware release (see below).

The Steam Deck has proved very popular and pre-orders in the regions where it is due to roll out first are such that new customers will be waiting into Q2 2022 at the earliest, for their handhelds to be dispatched.



HEXUS Forums :: 4 Comments

Login with Forum Account

Don't have an account? Register today!
It's simple enough to exploit but that seems like a Smart2Pay bug rather than a Steam bug.
The user would then have to intercept the corresponding POST request to the Smart2Pay API, where they could edit the credit amount up to $100.

Step 4 sounds a bit technical, and I'm not sure how simple it would have been to execute.

Quite easy really. I'm more impressed by them working out the validations checks would be passed by putting the token somewhere else. Something I've seen before though, the mistake might be something like there are two independent checks
“Is the item code present” it finds a valid value then stops searching.
“is the messaged signed and valid”. It goes to the bottom of the message, skipping over the real item code and reads a valid signature.
As a result it reports the transaction is good for up to $100 when it was only worth 1$

As for step 4 you can do that yourself.

Grab Firefox, Grab Burp Suit (or some other interception proxy). Point Firefox proxy at Burp, add the Burp certificate to Firefox. You can now view and edit all your traffic. Same principle can be applied to any browser, game or the steam client itself.
AnonAnon
It's simple enough to exploit but that seems like a Smart2Pay bug rather than a Steam bug.

It's a bug in how Steam processes Smart2Pay transactions.
Surprised that wasn't worth more than $7500 to them.