The Ukrainian information security researcher Artem Moskovsky spoke about a bug related to the Steamworks platform, designed for developers who work with Steam. The vulnerability allowed to know all activation keys (CD-key) for Any game hosted on Steam.
The researcher discovered a problem in the API at partner.steamgames.com/partnercdkeys/assignkeys/. This API gives developers and other related parties access to a CD-key game, through which users can tivate products on Steam.
This API is also available for a simple Steam account and works with a number of parameters, the most important of which are appid (game ID), keyid (CD-key set identifier), and keycount (responsible for the number of keys , which Steam must return in the CD-key set.)
Under normal circumstances, an attempt to retrieve activation keys for a game that the user does not own should result only in an error that this API returns. But Moskovsky found that by setting the keycount parameter to “0”, he could bypass the restrictions and extract the file with all activation keys for any game.
The researcher told the ZDNet publication that while studying the problem he could generate and load more than 36,000 The CD-key for the game Portal 2. Worse, he soon realized that a potential attacker could simply go through the IDs of various games on Steam and download all the activation keys in sequence, because it is not difficult to pick up the parameters appid and keyid.
specialist post Silt about the vulnerability of Valve engineers through the official bug bounty program on HackerOne. The bug was fixed after a few days, the researcher received a reward of $ 20,000, but he was only officially allowed to tell about his discovery.
It should be noted that this is one of the largest rewards paid by Valve, but not the first major bug. found by Artyom. In the summer of this year, the researcher discovered that Steamworks is vulnerable to SQL injection, earning $ 25,000 from it. In addition, Moscow admitted to journalists that before that he had found vulnerabilities in the mining pool of ViaBTC (the reward was $ 18,000), as well as in Samsung products (the reward was $ 13,300).