Valve is a massive corporation in the world of gaming, and Valve’s Steam is one of the most popular digital game distribution websites. When a company gets as big as Valve is, any security threats can cause huge financial and reputation losses. This is exactly what recently happened with Valve, and they might have suffered considerable financial losses.

The Flaw

Steam logo
Courtesy of Valve

A security researcher called “drbix” on HackerOne discovered an exploit in the Steam wallet on the platform. It was a security flaw that could allow gamers to boost their in-game Steam wallet balances by artificially increasing the value of deposits.

HackerOne is a vulnerability coordination platform that connects businesses with penetration testers and cybersecurity researchers. It is like a bounty website where such researchers can make big corps like Valve aware of such flaws and collect some money in return.

Dribix described how an attacker could modify their Steam account email to an address that includes the term “amount100”. After that, they could apply to add funds to their wallet by selecting an option that relies on Smart2Pay as the payment method. Then they could go ahead with a small minimum payment of $1, which could later be edited to a greater amount by intercepting the transaction. You can read the full report here for a better understanding.

Response by Valve

First of all, upon confirmation of the issue, Valve offered $7,500 as the bounty payment to Dribix. Apart from this, Valve thanked the researcher for his efforts and for sharing the issue. Next, Valve upgraded the bug to “Critical” severity and recognized its potential to cost financial losses. Dribix earlier posted it as a medium severity issue. But it is a much severe issue as an attacker can generate loads of money by this method. After that, he could break the Steam market by selling game keys at a cheaper price.

“Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issues without any impact on customers,” Valve said.

As of now, Valve hasn’t revealed if any such attacks have been made on it, but it did acknowledge that it is a severe security flaw. This comes at a time when Valve’s Steam Deck is about to roll out into regular use, and Valve will not want to lose money or reputation right now.

If you have any other questions regarding the world of gaming, feel free to ask in the comments below. For more content related to gaming, stay with us, here at Spiel Times.

Make sure you subscribe to our push-notifications and never miss an update from the world of video games. Until next time, Stay Safe and Happy Gaming!