I just came across this interesting article and was surprised not to have heard about it here first. Apparently there was an (already closed) flaw in Steamworks API that allowed accessing activation keys for every game on Steam. The flaw was discovered by Ukrainian vulnerability researcher Artem Morkowsky who reported the breach to Valve in August 2018 and was rewarded a $20.000 bug bounty. Despite being part of Steamworks you did not need developer privileges to find or exploit the flaw.

Apparently initially when he found the flaw he was able to generate 36.000 valid keys for Portal 2 but then he realized the full scope of the flaw and that it affected every game on Steam. After being made aware of it in August Valve fixed the breach ASAP and Morkowsky has now been legally allowed to discuss the matter publicly. It is unclear if anybody else ever found or exploited this issue before Moskowsky stumbling upon it.

Initially I found this article about it on a german gaming site first but then realized it would be better to put the english source article on top of the post and not at the bottom.

6 years ago*

Comment has been collapsed.

Would you have robbed Valve blind?

View Results
My moral compass is broken beyond repair. Gib PUBG / NieR:Automata now! (Yes.)
If I was to rob Valve it's gonna be with a 9-millimeter pointed at Gabens face. (No.)

I have to start cooking now so I won't be able to moderate this thread or respond to comments.

6 years ago*
Permalink

Comment has been collapsed.

Have fun with your cooking and meal. :D

6 years ago
Permalink

Comment has been collapsed.

Thank you :) In case anybody was wondering it's gonna be Berner sausages with fried potatoes and onions :D

6 years ago
Permalink

Comment has been collapsed.

I've never heard of Berner sausages before, but sausages stuffed with cheese and wrapped in bacon sounds pretty awesome. Let me know how they turn out.

6 years ago
Permalink

Comment has been collapsed.

They turned out pretty well. This feels a little bit Instagram but I suppose as long as I don't make a habbit out of it it's ok :D

Also I may be the slowest cook in this Verse and the next :D

View attached image.
6 years ago
Permalink

Comment has been collapsed.

I shouldn't had googled . . . Early wee hours in the morning and I am starting to feel hungry hahaha. Enjoy your meal. Munch on them appetizingly for me XD
Bon Appetit!

6 years ago
Permalink

Comment has been collapsed.

Ouch, I thought of cooking blue meth :-)

6 years ago
Permalink

Comment has been collapsed.

I'm not really the Heisenberg type of guy, more of a Mary-Louise Parker :P

6 years ago
Permalink

Comment has been collapsed.

Meth?!

View attached image.
6 years ago*
Permalink

Comment has been collapsed.

My paws are way too clumsy for that :D I do however know a Rottweiler whose human might be able to hook you up. They're a bit twitchy though (both the dog and her human) so no sudden movements :P

6 years ago
Permalink

Comment has been collapsed.

LOL

Thank you for the coffee-spray through my nose over my floor....
It burrrrrrnsssss!

6 years ago
Permalink

Comment has been collapsed.

I am reminded of the episode of The Simpsons where Ralph ate some unknown berries off of a bush.

"It tastes like....burning!" :)

6 years ago
Permalink

Comment has been collapsed.

View attached image.
6 years ago
Permalink

Comment has been collapsed.

Read the header but thought was like fake news

6 years ago
Permalink

Comment has been collapsed.

But would it allow key generation for Half-Life 3?

6 years ago
Permalink

Comment has been collapsed.

Only games that exist or will exist at some point :P

6 years ago
Permalink

Comment has been collapsed.

I WANT TO BELIEVE!

6 years ago
Permalink

Comment has been collapsed.

I get you ;) I had one of these hanging on my rooms door when I was a kid. But not the cool one Mulder had but some rip-off with a greenish Alien on it and the same dubbing.

View attached image.
6 years ago*
Permalink

Comment has been collapsed.

So the answer is "yes".

6 years ago
Permalink

Comment has been collapsed.

Generating keys is too immoral for me. I wouldn't have taken advantage of it even if given the chance.

6 years ago
Permalink

Comment has been collapsed.

I would probably be the biggest G2a/Kinguin/Gamivo seller at all time

6 years ago
Permalink

Comment has been collapsed.

His reported earnings are interesting. I wonder how many "vulnerability researchers" actually manage to make a living of their findings.

6 years ago
Permalink

Comment has been collapsed.

One of the reasons I "gave up" programming is the amount of time you need to decode. You may spent 5-6hrs looking at the codes just to find out it was just a Capitalizing error. I am not smart enough nor am I patient enough for it. I am pretty sure he had spent a good amount of time so the bounty is such and it saves Valve far more than the bounty had offered. :)

6 years ago
Permalink

Comment has been collapsed.

It certainly requires a specific talent, considering that he earned another 25k from Steam one month earlier and had other great rewards from other companies too, in 2018.

6 years ago
Permalink

Comment has been collapsed.

Indeed. :)

6 years ago
Permalink

Comment has been collapsed.

Well, since the flaw lies in Steamwork and you need to be licensed for Steamwork. Even if I paid $100 for the access or whatever I will not risk my reputation and work. Its much a small gain than the amount gained from the bounty. What's more since everything is on a Steam account, when you are eventually found out. All Valve has to do is suspend your account and that's it. So why bother? Take the bounty! XD
Cheers~

6 years ago
Permalink

Comment has been collapsed.

No. Apparently despite being part of Steamworks you didn't need developer privileges to find or exploit the flaw. I was wondering that myself so I was glad the ZDNet article points it out ;)

6 years ago
Permalink

Comment has been collapsed.

Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/.

Hmm, pretty sure it means you have to have access to the folder then you can generate but you can assign them to accounts.

Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access.

From hackerone on ZDNet's article. :)
Cheers~

6 years ago
Permalink

Comment has been collapsed.

To be honest I was already quite hungry when I found the article but wanted to post about it anyway so I only quickly crossread both articles. You seem to be pretty well informed on the matter so I'll crossout that part about not requiring developer privileges for now.

6 years ago
Permalink

Comment has been collapsed.

Nah, I cross-read too. I did read more when you mentioned otherwise. I could be wrong too. Anyways, have a great meal, while I am hungrily waiting for Daylight so I can go workout, Lol~ XD

6 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 2 years ago.

6 years ago
Permalink

Comment has been collapsed.

Correct me if I'm wrong. I understand that you only need an ordinary account like any of us have here. To access Steamworks though, you have to be registered in the program. Which when I go to SteamWorks I have to register with the agreement.

This restricted access page contains Valve confidential information. You must have a non-disclosure and/or license agreement covering confidential information with Valve to use or access this page.

I am not sure how far it goes but unless the tools/flaw is accessible without agreeing to the agreement. I guess someone with bad intentions may register and exploit the flaw. However, agreeing to the agreement gives you privileges to your account? I do not mean by a web developer level of access of the Steamwork API because that way you can practically access everything but a Game Dev level of access on SteamWorks which the API resides.

If your normal Steam account is given more privileges and access isn't it not a normal account anymore? I'm not sure how they differentiate users in their database but taking Indiegala as a an example, the admins representing a publisher, reseller, game developer does not have any status badge. Pretty sure there is indication in the database.

The difference I am discussing on is an Ordinary Steam account with no access of the tools in SteamWorks API can exploit the flaw on the browser interface? Or Do they need to register with SteamWorks to exploit the flaw which at that point, the account is not an Ordinary Steam account(Like a Guild Member)?

Not trying to argue or be a nuisance, hope you understand, Warmest Regards, Cruse~ :)

6 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 2 years ago.

6 years ago
Permalink

Comment has been collapsed.

Indeed, as far as we can speculate from the article, as you mentioned. It may be incredibly vulnerable if a log-in account can send a request at the 1st UI page it enters. Since the parameters and conditions seems easily met. keycount from what I guess is that if the keycount is 1 then the return result is true(which means they own the game) which cuts the loop and exit without assigning the key which pretty standard programming parameter using 1 or 0 instead of null.

Why I am pretty persistent on access level is because it seems extremely weak to be able to access the UI tools that easily if any account is used to register which just may be the case. Thank you for your patience on this. :D
Sincere Regards, Cruse~

6 years ago
Permalink

Comment has been collapsed.

To me it seems like an intentional backdoor left by some dev. This so called "bug" is not even junior level material. I can only explain it by being intentional, especially since it concerned such a critical aspect of their system.

6 years ago
Permalink

Comment has been collapsed.

Maybe they paid him only $19K out of $20K package they promised so he can't bother to tie up the loose ends. Though its not uncommon for devs to leave flaws such as Operating systems as such. There's no perfect program just hidden doors, imo. ;)
Regards, Cruse~

6 years ago
Permalink

Comment has been collapsed.

Yeah it's depressing how so many high profile vulnerabilities like this turn out to be such trivial "mistakes"...

6 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 6 years ago.

6 years ago
Permalink

Comment has been collapsed.

Indeed, I would too instead of 1K hentai games in my library XD hahaha~

6 years ago
Permalink

Comment has been collapsed.

Yeah, I would probably go for the 9-millimeter approach as well. Also that way I could check if he has a personal copy of HL3 the rest of the world will never get to see :D

6 years ago
Permalink

Comment has been collapsed.

And if he doesn't? COERCE HIM INTO MAKING ONE!

The 9mm approach is so useful ;)

6 years ago
Permalink

Comment has been collapsed.

Indeed :D

View attached image.
6 years ago
Permalink

Comment has been collapsed.

About your title, actually the bug reports says: "an authenticated user could download previously-generated CD keys"

6 years ago
Permalink

Comment has been collapsed.

To be honest I was already quite hungry when I found the article but wanted to post about it anyway so I only quickly crossread both articles :D

I guess "accessing" would be more accurate then?

6 years ago*
Permalink

Comment has been collapsed.

Something like that I guess. Hard to insert accurately without making the title longer ^^

6 years ago
Permalink

Comment has been collapsed.

Yeah, I was trying to avoid making the title too convoluted. But I think "accessing" will do fine for now :)

I hope nobody writes a lengthy reply while I change the title :D

6 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

6 years ago*
Permalink

Comment has been collapsed.

I just crossed over 30k games set to "not interested" on Steam today, so there's quite a few more then 26K. :)

6 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 4 years ago.

6 years ago
Permalink

Comment has been collapsed.

Should have generated a ton of keys for all the good delisted games people want, and then pay the devs back via anonymously sent envelopes/bags/boxes filled with cash. :p

6 years ago
Permalink

Comment has been collapsed.

I would just want my photo taken with GabeN, both brandishing 9mm's Charlie's Angels style.

6 years ago
Permalink

Comment has been collapsed.

That would make a sweet photo :D

6 years ago
Permalink

Comment has been collapsed.

If it ever happens, you can be the third Angel.

6 years ago
Permalink

Comment has been collapsed.

I was gonna ask if I can be Huggy Bear instead, I think that would suit me better, but apparently that's the wrong show :D Well, I'll just put my own spin on it ^^

View attached image.
6 years ago
Permalink

Comment has been collapsed.

Well it says this:

Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.

6 years ago
Permalink

Comment has been collapsed.

No I wouldn't have robbed them. I don't even know where Gabe lives.

6 years ago
Permalink

Comment has been collapsed.

Internet says is here

6 years ago
Permalink

Comment has been collapsed.

I'd have blackmailed Gaben. I would have said if you don't release HL3, L4D3, Portal 3, TF3, Counter-Strike 3 (have to be consistent), I will generate billions of keys for everyone in the world.

6 years ago
Permalink

Comment has been collapsed.

and then gaben would just revoke those keys and patch the bug, and you would be missing 20 grand.

6 years ago
Permalink

Comment has been collapsed.

20k is very little for the guy. It's less than $1 for each game on steam, which I'd point as the bare minimum reward for this flaw.

6 years ago
Permalink

Comment has been collapsed.

I honestly don't know, I'd probably be afraid that exploiting the flaw would get me banned.
But hypothetically, if I knew for a fact that I won't get in trouble for it, then hell yes, I'd go ahead and grab a game or two, perhpas three :D No more than that, though.

6 years ago
Permalink

Comment has been collapsed.

I saw several Portal 2 keys dumped in a public forum a while ago. That wouldn't have been coincidence.

6 years ago
Permalink

Comment has been collapsed.

They should have given him a few million dollars. not 20k.
If he wanted he could have easily made millions selling keys..

6 years ago
Permalink

Comment has been collapsed.

If you are smart enough to discover such a security flaw then you are smart enough to not exploit it. You probably wouldn't get away with just a simple account ban if you are caught and Valve has better lawyers.

6 years ago
Permalink

Comment has been collapsed.

um, both sql injection and assignkeys vulnerability were published 1,5 months ago on a russian tech site habr.com by the guy himself.
original article in russian
google translated

6 years ago
Permalink

Comment has been collapsed.

It's a nice gesture on the part of Valve but I hope they offered him some kind of job opportunity in addition to the reward.

6 years ago
Permalink

Comment has been collapsed.

I wouldn't really call it a gesture since bug bounties are AFAIK standard in the industry. I agree that it would have been nice but given that Artem is from Ukraine and Valve sits in (the state of) Washington I doubt it.

And while this is a particularly big fuckup Valve screws up pretty much on a bi-weekly basis so if they hired everyone who points it out to them when they do they'd have more employees than the federal goverment :D

6 years ago
Permalink

Comment has been collapsed.

Closed 5 years ago by Sundance85.