Sections

Celebrating employer excellence in the video games industry

8th July 2021

Submit your company

Valve rewards man $20,000 for discovering unlimited free game codes bug

Bug allowed anyone with developer portal account to generate thousands of free codes for any game

Valve has rewarded a man with $20,000 after he discovered a bug which let people generate thousands of free codes at once for any game.

The flaw was rooted out by security researcher Artem Moskowsky who reported it to Valve on August 7.

Valve fixed the issue weeks ago and it has since been made public via HackerOne.

By changing a single parameter, any person with a developer account on the portal could generate thousands of activation keys simultaneously for any other game hosted by Steam.

Speaking with The Register, Moskowsky says he found the bug by chance while exploring the functionality of a web application.

"To exploit the vulnerability, it was necessary to make only one request," he said. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."

While testing the extent of the flaw, Moskowsky entered a string of random numbers as a request and received 36,000 keys for Portal 2.

Rather than make the information public, he submitted a report to Valve and was rewarded through the company's bug bounty scheme.

Moskowsky was given $15,000 and a bonus $5,000 for disclosing the issue privately.

This is not Moskowsky's largest payout from Valve however; in July he received $25,000 for discovering an SQL Injection bug in the same portal.

Celebrating employer excellence in the video games industry

8th July 2021

Submit your company

More stories

Bohemia revenue up 10% for 2020

Czech developer attributes higher revenue to DayZ and Arma 3

By Jeffrey Rousseau

Xbox Series X|S set to launch in China in June

Pre-orders for the consoles will open on May 19

By Danielle Partis

Latest comments

Sign in to contribute

Need an account? Register now.