Valve has rewarded a security researcher will $7,500 for reporting a major vulnerability in Steam’s payment system. This flaw allowed hackers to add an unlimited amount of funds to their Steam wallets. The store refused to disclose whether anyone was able to actually able to exploit this flaw to add money to their wallets.
Researcher “drbrix” reported the exploit that allowed hackers to generate an unlimited amount of funds in their Steam wallets. The bug would allow players with “amount100” in their Steam registered email address to intercept payments via Smart2Pay.
After registering the account, users could continue to add funds to their Steam wallets with Smart2Pay as the payment method, free of charge. The selected amount could have been as little as $1 as attackers then intercepted the POST (data request to the server) request and manipulated it to change the actual amount.
Smart2Pay has not yet commented on the exploit, but a Valve spokesperson said the report has enabled the platform to work with the payment provider to resolve the issue without impacting customers.