13 August 2021 at 15:06 UTC
Up to date: 13 August 2021 at 15:09 UTC
Safety researcher earns $7,500 bug bounty after discovering enterprise logic flaw
A safety researcher has earned a $7,500 bug bounty after discovering an exploit that might have permitted avid gamers to spice up their in-game Steam pockets balances by artificially growing the worth of deposits.
The ‘limitless funds’ cheat was promptly triaged by Valve Software program – the agency behind the favored Steam gaming platform – and resolved simply days after its discovery.
A safety researcher with the deal with ‘drbrix’ found the flaw in Steam and reported it by way of HackerOne.
In a write up printed by HackerOne after the bug was resolved, the researcher describes how an attacker would first have to change their Steam account e-mail to an deal with that features the time period “amount100”.
With this in place, a would-be attacker would apply so as to add funds to their pockets, choosing an choice that depends on Smart2Pay because the payment methodology, earlier than going forward with a small minimal fee of $1.
Smart2Pay is a Dutch fee providers firm for internet retailers.
If an attacker intercepted the corresponding POST request to the Smart2Pay API, they might discover a response that might be edited to vary the fee quantity, which might be edited to a far bigger quantity than was truly paid ($100 as a substitute of $1).
The trick solely works the place “amount100” options within the Steam account e-mail, and that is modified again to its unique worth earlier than submitting the doctored request.
The flaw in Steam’s fee move, finest described as a enterprise logic drawback, was rapidly resolved.
In response to requests for remark from The Each day Swig, a spokesperson for Valve Software program stated: “Because of the one who reported this bug we had been in a position to work with the fee supplier to resolve the difficulty with none affect on clients.”
Smart2Pay is but to reply to a request for remark, so it’s troublesome at this level to say what wider classes, if any, is perhaps drawn from the incident.
We’ll replace this story as and when extra data comes at hand.