A man has been given $20,000 (£15,500) for discovering a Steam bug that let people download any game for free. Security researcher Artem Moskowsky found a flaw in Steam’s portal for games developers that let anybody generate
Millions of people use Steam to buy and download games on PC and Mac computers. Even I have bought
Mr. Moskowsky told Steam owner Valve about the bug and it awarded him the money as part of its bug bounty scheme. Many companies reward people who privately disclose security problems so they can be fixed, rather than sharing the information online.
He told news site the Register that he discovered the problem by accident when exploring the Steam partner portal. The portal lets game studios generate license keys for their software, so they can give a copy to fans or journalists to review. But he found that modifying the request let anybody generate thousands of codes for any game they wanted. These could theoretically be sold online on the black market.
“I managed to bypass the verification of ownership of the game by changing only one parameter,” he told the Register.
Valve awarded him $15,000 and a $5,000 bonus for making the private disclosure. The flaw has since been fixed. Valve said an investigation of its logs did not show that anybody had exploited the bug. So they are good to go.