An interesting, and potentially terrifying story from The Register reveals a serious vulnerability in Steam, that could have shut down the entire platform had it been publicly disclosed.
A security expert by the name of Artem Moskowsky performing some basic snooping was able to uncover a major bug in the Steamworks API (Application Programming Interface) for Steamworks. This bug resulted in the ability to generate game keys for nearly any game currently for sale on Steam.
The Steamworks API is a system that is run by Valve to allow game developers and publishers to do all kinds of things with their games. The API works as part of a suite of tools Valve provides to allow game creators to increase the compatibility, feature sets and overall enjoyment of the games on the platform. Under normal circumstances, things like DRM, software compatibility, content and patch distribution and other aspects of a game can be managed via these tools. One of the special functions of the API specifically revolves around the management of keys for games.
Game publishers and developers can generate free keys for their games, and then use these to provide giveaways, free review codes and other such goodies to gamers and publications. Now normally, this system is secured and is restricted to the games directly owned by that developer. But it turns out that the verification of ownership was controlled by a single client-side ID. The researcher was able to bypass authentication of the API by changing a single value within the string submitted to the server.
“To exploit the vulnerability, it was necessary to make only one request,” said Moskowsky. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”
This meant that he now had full access to the Steam library, at least for generating keys for games. In one example, 36,000 keys were generated for Portal 2.
So this means that anyone with a Steamworks developer account could potentially generate hundreds of keys for popular games, and then push them out to various greymarket reseller sites, making a tidy profit at the expense of upstanding developers. And if this trend had been repeated across multiple more expensive games, the potential loss in revenue would have shot into the millions of dollars.
It’s unclear whether more malicious functions could have been performed with the bugged version of the API. Although if the same verification was in place for things like uploading content to games, it would have potentially been possible to push malicious payloads into popular games using a similar exploit. Though that would probably require crafting a full version of the target game, with the malicious payload inside, in order to infect end-users. I seriously doubt it would be that easy though, Valve isn’t quite that stupid.
This and a total of 19 other bugs were reported to Valve by the discoverer on August 7, 2018. The company patched the vulnerability by implementing more stringent server-side checks. Within three days of him reporting it to Valve, they gave him a $15,000 “finders fee” plus $5,000 as a bonus. So Artem Moskowsky just got a nice payday.
All in all, take this as a lesson, don’t put all your security on the client-side. Any hacker, security expert, or even just a dumb kid can beat that kind of weak protection.