Security researcher scoops $25,000 reward for discovering Steam 'free games' exploit

Exploit could have been use to generate free game keys by the thousand

Valve Software, the company behind the popular Steam PC gaming portal, has paid a $25,000 bug bounty to a hacker who discovered an exploit that enabled users to generate product keys without paying for them.

Security researcher Artem Moskowsky discovered the exploit. He was digging around in the Steam partner portal (used by content generators, principally games companies) where he discovered the flaw.

The partner portal enables companies to generate keys that can be distributed for review or to give away in a competition.

Moskowsky found that by modifying the request to bypass verification of ownership of the game in question, he could create as many product licence keys as he wanted, each with the full market value of the product in question.

This was done by changing a single parameter of the request. These keys can then be given away or sold on the black market.

Valve has confirmed that the bug is now fixed and that, as far as it can tell, nobody ever used the exploit.

Nevertheless, the potential for destruction caused if this bug had been discovered by a less honest party it could have cost Steam and the companies that use its platform untold losses.

In recognition of this, Moskowsky was given $20,000 for discovering the exploit, and a further $5,000 for making the disclosure privately to Steam, enabling the company to fix it before it became public knowledge.

Separately, Valve Software is also believed to be working on its own virtual reality headset, with images of the devices having been leaked to Reddit.

IT security failings are, increasingly, costing CISOs, CIOs and CEOs their jobs.

With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security.

For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.