Valve Patches Steam Wallet Flaw That Allowed Unlimited Addition of Fake Funds

Video game developer and digital distribution company Valve recently announced it has addressed an API exploit that could let malicious actors add unlimited amounts of money to their Steam wallets.

The vulnerability was submitted through the Hackerone platform earlier this month by a security researcher named ‘Drbrix’.

For the exploit to work, threat actors would need to link or change their Steam email address to one containing the term “amount100”. After the modification is made, the user would need to go to the “Add Funds” button and select a Smart2Pay payment method such as PayPal.

He later explained that the attackers would need to intercept a POST request (the data sent to the server) where they can change the payment amount.

For example, one could simply add $1 and change the payment to $1000. Luckily, the vulnerability was found and fixed before criminals could capitalize on it.

Even though any added Steam funds can only be used for in-game purchases, merchandise and subscriptions, the researcher emphasized the exploit could easily break the marketplace on Steam.

“I think impact is pretty obvious, an attacker can generate money and break Steam market, sell game keys for cheap,” Drbrix said.

The game developers were quick to investigate the report and thanked the researcher for helping identify a serious business risk.

“This was clearly written and helpful in identifying a real business risk,” the company said. “We have changed the severity assessment to Critical, reflecting the potential cost to the business.”

As thanks for submitting his tip, Drbrix was awarded a $7,500 bug bounty from Valve.