Steam bug let users download unlimited games for free
Steam, a digital games platform for PC, has managed to plug a potentially catastrophic bug that let users download an unlimited amount of games for free.
The bug, as spotted by security researcher Artem Moskowsky, was found in Steam’s developer portal and would let anyone generate licence keys without paying. The key generation tool is intended to allow developers to generate licence keys for software so copies can be given away to journalists for review or as prizes for fans.
However, Moskowsky discovered that the request form actually generated thousands of codes for absolutely any game on the store. This meant that, if someone fancied registering themselves as a developer, anyone could get access to any game on Steam for free and download thousands of codes and sell them on the black market for profit.
Speaking to The Register, Moskowsky explained that he “managed to bypass the verification of ownership of the game by changing only one parameter”.
Doing the right thing, Moskowsky approached Steam’s owner, Valve, and allowed them to fix the issue. As part of Valve’s bounty programme, which awards hackers for coming to Valve instead of sharing the exploit online, Moskowsky received a $20,000 (£15,500) payout.
Valve says that, after checking its logs, nobody had exploited the bug before they managed to patch it.
While not quite in the league of a zero-day exploit or a huge data breach, if this Steam exploit had fallen into the wrong hands, thousands of developers could have found themselves out of pocket for the games they’ve spent years labouring over. It would also have a huge impact on Steam’s bottom line, as cheap codes poured out online without a penny going to Valve.