Valve has recently addressed a serious API vulnerability that could allow an adversary to add potentially unlimited funds to their Steam wallet. This could further allow unauthorized conversion of funds to real money as well as meddling with the Steam market.
Steam Wallet API Vulnerability
Reportedly, a security researcher with the alias DrBrix found a severe security flaw affecting Steam market that lead to further issues.
Specifically, the vulnerability existed in the Steam API that Valve used to communicate with the Smart2Pay payment method.
As elaborated in a bug report, exploiting the vulnerability would allow an adversary to add unlimited funds to said Steam wallet. All it took for the attacker was to intercept the communication between the two platforms. Then, altering the user’s email address to add a new “amount” field would allow fetching of a larger amount when making payments.
According to the researcher’s PoC, paying $1 only would allow adding more money to Steam funds simply by adding a numerical value and the word “amount” to the email address.
Firstly you will have to change yours steam account email to something like (I will explain why in next steps, amount100 is the important part): brixamount100abc@█████
Then go to https://store.steampowered.com/steamaccount/addfunds and click add add funds.
Proceed to payment and select any payment which uses Smart2Pay payment method (przelewy24 in my country).
Click next steps as you would do with normal transaction…
Then we can change email fromCustomerEmail=brixamount100abc%40████
toCustomerEmail=brix&amount=100&ab=c%40█████████
by this we are adding new field amount with our value.
Then just pay 1 $ and you should get your money on steam wallet in few hours/days
Patch Deployed
Upon discovering the bug, DrBrix reported it to Valve via their HackerOne bug bounty program.
Soon after, the vendors could reproduce the bug and started working on a fix that they eventually deployed.
The team marked this bug as a critical severity issue and were awarded a $7500 bounty to DrBrix for reporting it.