The error allowed any user to receive thousands of Steam keys for any game.
Artem Moskowsky is a hacker specialized in finding security flaws who recently discovered how any Steam user could request a thousand keys to download any game from the platform. And it was a relatively straightforward process for those fans with sufficient code knowledge. For reporting it, Valve has rewarded Moskowsky with $20,000.
Moskowsky explained to The Register how he found this hole in Valve’s platform security fortuitously. “To exploit the vulnerability, it was necessary to make a single request,” he said in detail in the interview. “I managed to omit verification of game ownership by changing just one parameter. After that, I was able to put any ID into another parameter and get any set of keys.
Instead of using the download codes, he told Valve that, through his program dedicated to rewarding this type of denunciation, he paid 20,000 dollars as a bonus, 5,000 dollars more than established, since Moskowsky did not make public either the keys or the method to obtain them before their correction. You can check the evolution and details of this story in Hacker One.