Skip to main content

Steam wallet flaw could turn $1 into hundreds

(Image credit: Future)

Games on Steam can be pretty expensive, but that’s not a problem if you can turn a single dollar into an unlimited amount of funds. Steam recently awarded a $7,500 bug bounty to a security researcher who discovered an interesting — and potentially very lucrative — bug in Steam Wallet. By taking advantage of an online payment company’s API, an enterprising cybercriminal could trick Steam into adding a theoretically unlimited amount of money into a user’s account.

That information comes from a highly technical report in HackerOne, via The Daily Swig. Security researcher “drbrix” outlined all of his findings, and disclosed precisely how to take advantage of the bug. (For anyone who was hoping to replicate the trick, don’t bother; Steam patched it out of existence weeks ago, according to comments in the HackerOne thread.)

 Briefly, here’s how the flaw worked: First, a user would open his or her Steam Wallet, and add a payment method. One possible method is a Dutch online payment company called Smart2Pay. By modifying the Smart2Pay API directly, drbrix discovered that he could edit the payment amount after making any form of legitimate deposit. In other words: He could pay $1 to Smart2Pay, then convince Steam that he had added $100 to his account.

Apparently, $100 is as high as the modification request would go, but that means you could essentially buy 10 brand-new, full-price games for $6. It’s not hard to see how this flaw could have created a lot of mischief, had anyone ever taken advantage of it in the wild.

The good news is that it doesn’t seem like anyone took advantage of this exploit, save drbrix while he was testing it. The better news is that users don’t have to do anything special to fix it; the vulnerability was on Valve’s end. It’s not clear whether Smart2Pay has also patched its API, but it’s also not clear whether such a patch would be necessary.

For his efforts, drbrix earned a $7,500 bug bounty from Steam, which a Valve representative cited as “a real business risk” in the HackerOne comments.

While there’s nothing that everyday users need to worry about here, this story does serve as a best-case scenario for how companies can address flaws in live software. A researcher found a flaw, reported it through the correct channels, and received a generous bounty for his efforts. Valve acknowledged the issue and patched it immediately. There are much more nightmarish ways this could have gone.

As for your own Steam Wallet, the usual precautions apply here. Both Steam and PayPal offer two-factor authentication, and you should employ both. While you won’t be able to turn $1 into $100, you can take advantage of frequent Steam sales to get major titles for relatively little money.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.