A hole in Steam's security that would allow for hackers to add funds indefinitely to their Steam Wallets has recently been spotted and patched by Valve. The glitch, if gone unnoticed, could have caused irreparable damage to the massive online gaming marketplace, as the Steam Wallet is what account holders use to store funds and purchase games.
Even though it's made headlines recently with the announcement of the powerful Steam Deck handheld, Valve is perhaps most well known for Steam itself, one of the biggest platforms for sharing and selling video games online. Steam is used by massive AAA developers and indie studios alike, with several smaller titles gaining lots of attention through the storefront. Because of its visibility in the gaming world, Valve is listed on Hackerone, a website that freelance programmers can use to connect with major companies. These programmers will often try to uncover potential exploits in websites and apps like Steam. In the gaming sphere, this can prevent issues like the recent hacker invasion of Call of Duty: Warzone.
A Hackerone programmer appears to have been successful in preventing a potentially catastrophic exploit on Steam, according to an article from Kotaku. The programmer, who calls themselves drbrix, found that Steam users could add a hypothetically unlimited amount of funds to their Steam Wallets via an exploit related to the Dutch payment platform Smart2Pay. Essentially, by choosing this payment option during checkout while using a specific email, hackers could intercept the transaction and inflate a deposit far beyond its initial amount. Thankfully, drbrix volunteered this information to Valve and was awarded $7,500 for their efforts. Valve went on to issue a patch preventing this exploit from occurring.
As the Kotaku piece points out, $7,500 seems like a very small reward for uncovering such a massive blind spot in Steam's security. Malicious hackers pose a major financial threat to gaming companies. A recent example of this threat can be seen in this summer's data hack against EA. The exploit that drbrix was able to uncover arguably has even more potential to cause harm, as attackers could take advantage of it to essentially break the Steam marketplace.
Whether or not Valve's payment was commensurate with drbrix's achievement, Steam users can rest easy knowing that a vulnerability this large has been addressed. However, such a glaring hole in Steam's security does raise questions regarding the overall integrity of the platform. Hopefully, this unlimited Steam Wallet exploit is nothing more than a notable exception in an otherwise reliable online marketplace.
Source: Kotaku