Valve responds to Steam wallet balance proliferation bug, rewards 800,000 yen for discoverers

A bug was found on the PC game platform Steam that could illegally increase the wallet balance. The bug was promptly addressed when the discoverer contacted Valve, which runs Steam, and the discoverer was paid a $ 7,500 bounty.

# 1295844 Modify in-flight data to payment provider Smart2Pay

Steam security: Valve promptly resolves'unlimited funds' gaming wallet cheat | The Daily Swig
https://portswigger.net/daily-swig/steam-security-valve-promptly-resolves-unlimited-funds-gaming-wallet-cheat

According to drbrix, who reported the bug, when an attacker made a small payment of at least $ 1 using the payment service Smart2Pay , he was actually paid by intercepting a POST request compatible with the Smart2Pay API. It was possible to rewrite it to a much larger amount than the amount. This effectively allowed the attacker to fraudulently increase the balance of his Steam wallet.

In addition, in order to execute this method, it seems that it was a condition that the email address of the Steam account included 'amount 100'.

drbrix reported this bug to Valve privately on August 1, 2021. Valve took immediate action and drbrix was paid $ 7,500 as a reward for finding bugs.

Valve told security news site The Daily Swig, 'Thanks to the bug reporter, we were able to work with payment providers to resolve issues without impacting our customers.'