Man finds Steam key-generating bug, Valve gives him 15,000

Wait what?

Artem Moskowsky was testing a web application on the Steam developer site one day when suddenly he noticed a bug: he could generate game keys - thousands of them.

By altering a couple of parameters he was able to, at one point, generate 36,000 Portal 2 keys, Moskowsky told The Register. The kind of keys which activate games on Steam so can be equivalent in worth to a full game.

For a hacker, it's like hitting the jackpot - but not quite. The keys Moskowsky was generating had been generated before, so probably used before. He wasn't creating 36,000 new keys for Portal 2, he was seeing 36,000 keys generated for it.

Nevertheless, Mokowsky had valuable information - so valuable, in fact, Valve paid £15,000 for it.

"Working together we can all make Steam and the internet safer." -Valve

You can see the timeline of events on bug-reporting platform HackerOne.

On 7th August, Moskowsky reported the bug. "Using the /partnercdkeys/assignkeys/ endpoint on with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access."

A few days later, on 11th August, Valve awarded Moskowsky $20,000. But this wasn't divulged publicly until 31st October 2018.

How noble of Artem Moskowsky to report it, you might think, and how nice of Valve to reward him, but it's actually a commonplace reaction in the HackerOne initiative Valve has to reward researchers finding vulnerabilities in its work.

Moskowsky himself was awarded $25,000 a mere month earlier by Valve.

Here's a cheery thought.

"Valve recognises how important it is to help protect privacy and security," Valve's HackerOne page reads. "We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.

"Security includes everyone. Our Steam users, our developers, third-party software developers and the security community. Working together we can all make Steam and the internet safer.

"Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud and account abuse issues.

"We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty."

Be right back; becoming a researcher.

Sometimes we include links to online retail stores. If you click on one and make a purchase we may receive a small commission. Read our policy.

Jump to comments (24)

About the author

Robert Purchese

Robert Purchese

Senior Staff Writer  |  Clert

Bertie is senior staff writer and Eurogamer's Poland-and-dragons correspondent. He's part of the furniture here, a friendly chair, and reports on all kinds of things, the stranger the better.


You may also enjoy...

Comments (24)

Comments for this article are now closed. Thanks for taking part!

Hide low-scoring comments

Buy things with globes on them

And other lovely Eurogamer merch in our official store!

Eurogamer Merch