Bounty hacker Artem Moskowsky has managed to trick Steam's client into giving him a bunch of games for free under certain circumstances. Tempting, yes, but reporting the bug to Valve netted him a fat check of $20,000 from uncle Gabe.
What Moscowsky did was trick the service as an authenticated user into giving him all the previously generated keys for any game he wishes. The bug report states that he did so "Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters".
Moskowsky claims it was as easy as making a single tweak. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys", he said.
Peculiarly enough, his attempt to test the exploit with a random game spit out Portal 2, or more precisely 36,000 copies of Valve's game. Seeing as how Portal 2 is still pretty cheap, going for $10 on Steam, it's still a hefty financial stab, which could've been catastrophic for some more expensive games.
Thankfully, Valve claim that Steam's audit logs are not bypassed using this method and that there's no reason for concern. Their investigation has shown the bug has not been exploited previously so yeah, nobody's stealing those game's you won't play anyway.
The bug report on HackerOne describes the severity of the issue as critical 9-10, which ultimately earned Moskowsky $15,000 in bounty with a $5,000 bonus on top. Note that the man is a proficient bug hunter, with a long record of working with Valve. Erm, against Valve. Yeah, you know what I mean.
Anyway, one of his Steam exploits from four months ago earned him $25,000 and his history with the platform includes another bunch of smaller bug reports. Speaking with The Register, Moskowsky said that he's been doing security research since he was in school, ultimately making it a career choice.
You can find the full report on Steam's vulnerability bug and Moskowsky's interview with The Register over here .