Valve has awarded a security researcher $7500 for reporting a bug that permitted players to falsify credits to their Steam wallet.
As spotted by The Daily Swig, researcher “drbrix” reported the exploit via HackerOne, stating they had “found [a] vulnerability which allows attacker to generate steam wallet balance”. The bug – which has since been resolved – would permit players with “amount100” in their Steam account email address to intercept payments made via Smart2Pay and artificially inflate them (thanks, NME).
After detailing how the exploit could be generated, Valve’s JonP promptly thanked drbrix and agreed the team at Valve had been able to “validate this is happening pretty much as described”, and were taking steps to address it.
After drbrix was invited to attempt the exploit again following triage via Valve, JonP awarded the reporter a bounty of $7500 – that’s around £5400 – and upgraded the issue from medium severity to critical.
“Thank you for this report,” JonP said. “This was clearly written and helpful in identifying a real business risk. We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly. We hope to hear more from you in the future.”
At the time of writing, there’s no word from Valve if the vulnerability had been abused by hackers, or if it managed to ameliorate the issue before it could have been abused.
ICYMI, Valve has published the first video on its official YouTube channel in eight months: “Introducing Steam Deck”.
As Wes summarised yesterday, the video is a straightforward summary of the features of Valve’s upcoming handheld, and succinctly makes the case for the device.
Demand for Steam Deck continues to be strong, with availability pushed back soon after reservations were made available. Check out Digital Foundry’s Steam Deck analysis for more.