![]() "We hope to hear more from you in the future." We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly," jonp said. "This was clearly written and helpful in identifying a real business risk. In a thread that's now been made public (seeing as the exploit has been fixed), Valve staff member "jonp" thanked drvrix, rewarding them with the $7500 bounty. (I guess it's technically not "infinite" if you have to pay a little bit every time, but still!) You can read the full explanation of how it all worked over on HackerOne. So if they just paid $1, they'd be able to turn that into $100 instead. This exploit would then let the hacker intercept the request being sent to Smart2Pay's servers, allowing them to alter how much money they were actually adding. The hack would've involved a Steam user changing their account email address to include the phrase "amount100", before adding a little bit of money to their Wallet using a method that goes through the Smart2Pay payment system. Valve have patched the exploit now though, and awarded $7500 (around £5410) to drbrix for finding it. Discovered by security researcher "drbrix", the storefront had a way users could fake the value of their deposits by changing a few words in the email address associated with the account. Until recently, Steam had an exploit that could've let you add unlimited funds to your Steam Wallet. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |