A Bug in Steam, Which Was Recently Patched, Could Have Given Users Access To Activation Key of Any Game

Ukrainian vulnerability researcher has found a bug that would have allowed him to download all the activation keys (also known as CD keys) made available through the Steam gaming platform, for any game, ever. From a report: Discovered by Artem Moskowsky, the bug resided in Steamworks, a platform that Valve runs to help developers with building and publishing games via its Steam gaming client. Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/. This is the API that lets game developers or affiliates retrieve CD keys made available to Steam users so their customers can activate a game installed via the Steam client. This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set).

A Bug In Slashdot Gives AC Access to First Post

exploited, m'gentle ladies

But without auditing?

[SirMasterboy]

Do we really think that usage of that API wouldn't have been audited though?

Re:But without auditing?

Only if some dumbfuck downloaded them all at once, sure.
But if you downloaded them in random chunks at a time, it would seem like regular usage patterns on the server logs.
Whether they have a system in place to alert if, say, money coming in wasn't equal to the keys going out, or something along those lines, is another question.

A lot of people overlook usage patterns in their APIs, usually leaving algorithms to deal with it.
But you can cheat a lot of algorithms in the right ways if you trial-and-error information out of it.
It will in this case require illegal activity, of course, but it could probably have been done. Hell, it might have been done! You never know with all these key-resellers. They say they could be other peoples keys, but you never know for sure.

Re:But without auditing?

[MrL0G1C]

A criminal would grab thousands of keys for full price AAA titles and sell them on grey market sites for a quick profit, they wouldn't care if the keys got revoked after an audit.

Re:But without auditing?

And with gray market site you mean G2A.
They claim to be legit but have no qualms about selling stolen keys.

Now you tell me...

What good is it if they already patched it?

Re: Now you tell me...

They already patched it? So, just a pile of crickets then for this post?

Thanks Artem Moskowsky

This is why we can't have nice things

No thanks to free stuff

[kaoshin]

Even if all Steam games were available for free, I would still pay, because I want to continue to support what they are doing for gaming on Linux. I do take advantage of a lot of the sales they run though.

Re:No thanks to free stuff

if everything were free I'd still pay

peak socialist economics

Re:No thanks to free stuff

what linux games, you mean all the hentai dating sim visual novels?

Re:No thanks to free stuff

[Tukz]

Valve is basically funding DXVK, a low-level Vulcan based translation layer for Direct3D 10/11.

Their work with Proton (Steam version of Wine) is amazing and they have made amazing progress the last few months. Thousands of games are now available through "Steam Play" via Proton and DXVK.

Valve isn't making any of those "hentai dating sim visual novels" you speak of.

Did he get any keys as a reward?

[Only+Time+Will+Tell]

I wonder if Steam tossed any free keys his way for the heads up about this hole. I did see he got $20K for this effort, which would buy a lot of games of Civilization!

Re:Agree

[wolfheart111]

Looking forward to the christmas discounts :)

Re:Agree

[rtb61]

Steam have got more than just a little douche baggery, allowing developers who sold you the game, to force downgrades after buying the game, to sell DLC matched to that downgrade. Steam is now chasing the developers to screw over the users, rather than the other way around. I have stopped buying on Steam to take back control of game upgrades to block install of shitty downgrades, worse to date, Paradox and Stellaris. Watch you game be forced upgraded to now serve you publisher ads and slowed down application start to serve ads, watch you game adjusted to serve make believe new SJW customers, watch your game suddenly becoming well worse all round, when the next version comes out. Until Steam gets it shit together on game updates and patch fixes, you should probably avoid it because it is going to get worse rather than better. I would not touch Steam, until the user gets to choose which patches to run the game with, some of them are truly shite.

Re:Agree

[josiahgould]

That seems more like a problem with the developer/publisher than it is a problem with Steam. Uplay and Origin are just as bad at "up"downgrades, but there not the big guy so nobody whinges.

Re:Agree

[Cederic]

I would not touch Steam, until the user gets to choose which patches to run the game with

You've had the ability to avoid patching your Steam games for around a decade now.

That's not quite selective patching but effectively operates the same way, given patches generally have a dependency relationship. If you skip one you mostly aren't getting later ones whether you're on Steam or not.

Re:Game developers

[wolfheart111]

Im sure some are better than others.