Skip to main content

Long read: The beauty and drama of video games and their clouds

"It's a little bit hard to work out without knowing the altitude of that dragon..."

If you click on a link and make a purchase we may receive a small commission. Read our editorial policy.

Man finds Steam key-generating bug, Valve gives him £15,000

Wait what?

Robert Purchese avatar
News by Robert Purchese Associate Editor
Updated on
19 comments

Artem Moskowsky was testing a web application on the Steam developer site one day when suddenly he noticed a bug: he could generate game keys - thousands of them.

By altering a couple of parameters he was able to, at one point, generate 36,000 Portal 2 keys, Moskowsky told The Register. The kind of keys which activate games on Steam so can be equivalent in worth to a full game.

For a hacker, it's like hitting the jackpot - but not quite. The keys Moskowsky was generating had been generated before, so probably used before. He wasn't creating 36,000 new keys for Portal 2, he was seeing 36,000 keys generated for it.

Nevertheless, Mokowsky had valuable information - so valuable, in fact, Valve paid £15,000 for it.

"Working together we can all make Steam and the internet safer." -Valve

You can see the timeline of events on bug-reporting platform HackerOne.

On 7th August, Moskowsky reported the bug. "Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access."

A few days later, on 11th August, Valve awarded Moskowsky $20,000. But this wasn't divulged publicly until 31st October 2018.

How noble of Artem Moskowsky to report it, you might think, and how nice of Valve to reward him, but it's actually a commonplace reaction in the HackerOne initiative Valve has to reward researchers finding vulnerabilities in its work.

Moskowsky himself was awarded $25,000 a mere month earlier by Valve.

Cover image for YouTube videoWhat happens to your Steam account when you die? - Here's A Thing
Here's a cheery thought.Watch on YouTube

"Valve recognises how important it is to help protect privacy and security," Valve's HackerOne page reads. "We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.

"Security includes everyone. Our Steam users, our developers, third-party software developers and the security community. Working together we can all make Steam and the internet safer.

"Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud and account abuse issues.

"We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty."

Be right back; becoming a researcher.

Read this next