Would you have robbed Valve blind?
I have to start cooking now so I won't be able to moderate this thread or respond to comments.
Comment has been collapsed.
Thank you :) In case anybody was wondering it's gonna be Berner sausages with fried potatoes and onions :D
Comment has been collapsed.
My paws are way too clumsy for that :D I do however know a Rottweiler whose human might be able to hook you up. They're a bit twitchy though (both the dog and her human) so no sudden movements :P
Comment has been collapsed.
I am reminded of the episode of The Simpsons where Ralph ate some unknown berries off of a bush.
"It tastes like....burning!" :)
Comment has been collapsed.
But would it allow key generation for Half-Life 3?
Comment has been collapsed.
Generating keys is too immoral for me. I wouldn't have taken advantage of it even if given the chance.
Comment has been collapsed.
One of the reasons I "gave up" programming is the amount of time you need to decode. You may spent 5-6hrs looking at the codes just to find out it was just a Capitalizing error. I am not smart enough nor am I patient enough for it. I am pretty sure he had spent a good amount of time so the bounty is such and it saves Valve far more than the bounty had offered. :)
Comment has been collapsed.
Well, since the flaw lies in Steamwork and you need to be licensed for Steamwork. Even if I paid $100 for the access or whatever I will not risk my reputation and work. Its much a small gain than the amount gained from the bounty. What's more since everything is on a Steam account, when you are eventually found out. All Valve has to do is suspend your account and that's it. So why bother? Take the bounty! XD
Cheers~
Comment has been collapsed.
No. Apparently despite being part of Steamworks you didn't need developer privileges to find or exploit the flaw. I was wondering that myself so I was glad the ZDNet article points it out ;)
Comment has been collapsed.
Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/.
Hmm, pretty sure it means you have to have access to the folder then you can generate but you can assign them to accounts.
Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access.
From hackerone on ZDNet's article. :)
Cheers~
Comment has been collapsed.
To be honest I was already quite hungry when I found the article but wanted to post about it anyway so I only quickly crossread both articles. You seem to be pretty well informed on the matter so I'll crossout that part about not requiring developer privileges for now.
Comment has been collapsed.
Correct me if I'm wrong. I understand that you only need an ordinary account like any of us have here. To access Steamworks though, you have to be registered in the program. Which when I go to SteamWorks I have to register with the agreement.
This restricted access page contains Valve confidential information. You must have a non-disclosure and/or license agreement covering confidential information with Valve to use or access this page.
I am not sure how far it goes but unless the tools/flaw is accessible without agreeing to the agreement. I guess someone with bad intentions may register and exploit the flaw. However, agreeing to the agreement gives you privileges to your account? I do not mean by a web developer level of access of the Steamwork API because that way you can practically access everything but a Game Dev level of access on SteamWorks which the API resides.
If your normal Steam account is given more privileges and access isn't it not a normal account anymore? I'm not sure how they differentiate users in their database but taking Indiegala as a an example, the admins representing a publisher, reseller, game developer does not have any status badge. Pretty sure there is indication in the database.
The difference I am discussing on is an Ordinary Steam account with no access of the tools in SteamWorks API can exploit the flaw on the browser interface? Or Do they need to register with SteamWorks to exploit the flaw which at that point, the account is not an Ordinary Steam account(Like a Guild Member)?
Not trying to argue or be a nuisance, hope you understand, Warmest Regards, Cruse~ :)
Comment has been collapsed.
Indeed, as far as we can speculate from the article, as you mentioned. It may be incredibly vulnerable if a log-in account can send a request at the 1st UI page it enters. Since the parameters and conditions seems easily met. keycount from what I guess is that if the keycount is 1 then the return result is true(which means they own the game) which cuts the loop and exit without assigning the key which pretty standard programming parameter using 1 or 0 instead of null.
Why I am pretty persistent on access level is because it seems extremely weak to be able to access the UI tools that easily if any account is used to register which just may be the case. Thank you for your patience on this. :D
Sincere Regards, Cruse~
Comment has been collapsed.
To me it seems like an intentional backdoor left by some dev. This so called "bug" is not even junior level material. I can only explain it by being intentional, especially since it concerned such a critical aspect of their system.
Comment has been collapsed.
Maybe they paid him only $19K out of $20K package they promised so he can't bother to tie up the loose ends. Though its not uncommon for devs to leave flaws such as Operating systems as such. There's no perfect program just hidden doors, imo. ;)
Regards, Cruse~
Comment has been collapsed.
Yeah it's depressing how so many high profile vulnerabilities like this turn out to be such trivial "mistakes"...
Comment has been collapsed.
Yeah, I would probably go for the 9-millimeter approach as well. Also that way I could check if he has a personal copy of HL3 the rest of the world will never get to see :D
Comment has been collapsed.
About your title, actually the bug reports says: "an authenticated user could download previously-generated CD keys"
Comment has been collapsed.
To be honest I was already quite hungry when I found the article but wanted to post about it anyway so I only quickly crossread both articles :D
I guess "accessing" would be more accurate then?
Comment has been collapsed.
Something like that I guess. Hard to insert accurately without making the title longer ^^
Comment has been collapsed.
Yeah, I was trying to avoid making the title too convoluted. But I think "accessing" will do fine for now :)
I hope nobody writes a lengthy reply while I change the title :D
Comment has been collapsed.
I just crossed over 30k games set to "not interested" on Steam today, so there's quite a few more then 26K. :)
Comment has been collapsed.
Should have generated a ton of keys for all the good delisted games people want, and then pay the devs back via anonymously sent envelopes/bags/boxes filled with cash. :p
Comment has been collapsed.
20k is very little for the guy. It's less than $1 for each game on steam, which I'd point as the bare minimum reward for this flaw.
Comment has been collapsed.
I honestly don't know, I'd probably be afraid that exploiting the flaw would get me banned.
But hypothetically, if I knew for a fact that I won't get in trouble for it, then hell yes, I'd go ahead and grab a game or two, perhpas three :D No more than that, though.
Comment has been collapsed.
um, both sql injection and assignkeys vulnerability were published 1,5 months ago on a russian tech site habr.com by the guy himself.
original article in russian
google translated
Comment has been collapsed.
I wouldn't really call it a gesture since bug bounties are AFAIK standard in the industry. I agree that it would have been nice but given that Artem is from Ukraine and Valve sits in (the state of) Washington I doubt it.
And while this is a particularly big fuckup Valve screws up pretty much on a bi-weekly basis so if they hired everyone who points it out to them when they do they'd have more employees than the federal goverment :D
Comment has been collapsed.
145 Comments - Last post 36 minutes ago by seaman
253 Comments - Last post 1 hour ago by Bum8ara5h
46 Comments - Last post 3 hours ago by MeguminShiro
2,036 Comments - Last post 3 hours ago by MeguminShiro
69 Comments - Last post 5 hours ago by Kalzar
148 Comments - Last post 9 hours ago by adam1224
382 Comments - Last post 10 hours ago by mageek
35 Comments - Last post 3 minutes ago by Myklex
110 Comments - Last post 3 minutes ago by GrinderPlague
1,353 Comments - Last post 33 minutes ago by Serebix
190 Comments - Last post 54 minutes ago by Sugar66
7 Comments - Last post 58 minutes ago by at46
12 Comments - Last post 1 hour ago by coleypollockfilet
149 Comments - Last post 1 hour ago by Ninglor03
I just came across this interesting article and was surprised not to have heard about it here first. Apparently there was an (already closed) flaw in Steamworks API that allowed accessing activation keys for every game on Steam. The flaw was discovered by Ukrainian vulnerability researcher Artem Morkowsky who reported the breach to Valve in August 2018 and was rewarded a $20.000 bug bounty. Despite being part of Steamworks you did not need developer privileges to find or exploit the flaw.
Apparently initially when he found the flaw he was able to generate 36.000 valid keys for Portal 2 but then he realized the full scope of the flaw and that it affected every game on Steam. After being made aware of it in August Valve fixed the breach ASAP and Morkowsky has now been legally allowed to discuss the matter publicly. It is unclear if anybody else ever found or exploited this issue before Moskowsky stumbling upon it.
Initially I found this article about it on a german gaming site first but then realized it would be better to put the english source article on top of the post and not at the bottom.
Comment has been collapsed.