Ukrainian vulnerability researcher has found a bug that would have allowed him to download all the activation keys (also known as CD keys) made available through the Steam gaming platform, for any game, ever.
Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/.
This is the API that lets game developers or affiliates retrieve CD keys made available to Steam users so their customers can activate a game installed via the Steam client.
This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set).
Moskowsky says that under normal circumstances when he attempted to retrieve CD keys for games he didn’t own, Steam’s API gave him an error, which is what’s supposed to happen.
But the researcher found that by setting the keycount parameter to “0” he could bypass the API’s limitations and retrieve a file with CD keys belonging to any game, even if the user was not supposed to have access to that game’s CD keys collection.
In an interview with ZDNet, Msokowsky told us the bug wasn’t complicated to figure out, “but it was not obvious enough” for the casual observer.
“Here, my intuition helped me,” he said.
During his tests, and before notifying Steam, the researcher said he was able to generate and download over 36,000 CD keys for the Portal 2 game.
Further, as he explored the bug’s reach, he also realized that an attacker can go through all Steam games IDs and gradually download all their CD keys, as the appid and keyid parameters were easy to guess.
Moskowsky reported the bug to Valve in August via the company’s HackerOne bug bounty platform, and the company fixed it within days but only recently allowed him to go public with his findings.
It is unclear if anybody else ever found or exploited this issue before Moskowsky stumbling upon it. “Valve did not provide me with this information,” the researcher told ZDNet. “But I personally think that no one used the vulnerability.” Valve also didn’t respond to a request for comment from ZDNet.
The researcher received a $20,000 reward for reporting this particular bug to Valve, one of the largest bug bounties the platform has ever paid.
A month before that, Moskowsky had previously earned Valve’s top reward of $25,000 after discovering and reporting an SQL injection flaw in the same Steamworks portal.
Moskowsky tells us he’s had a very fruitful year, overall, also previously collecting $18,000 from the ViaBTC mining pool, and another $13,300 from Samsung.