Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Bug in Steam, Which Was Recently Patched, Could Have Given Users Access To Activation Key of Any Game (zdnet.com)

Posted by msmash on from the a-man-can-dream dept.

Ukrainian vulnerability researcher has found a bug that would have allowed him to download all the activation keys (also known as CD keys) made available through the Steam gaming platform, for any game, ever. From a report: Discovered by Artem Moskowsky, the bug resided in Steamworks, a platform that Valve runs to help developers with building and publishing games via its Steam gaming client. Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/. This is the API that lets game developers or affiliates retrieve CD keys made available to Steam users so their customers can activate a game installed via the Steam client. This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set).

4 of 19 comments (clear)

  1. No thanks to free stuff by kaoshin · · Score: 5, Insightful

    Even if all Steam games were available for free, I would still pay, because I want to continue to support what they are doing for gaming on Linux. I do take advantage of a lot of the sales they run though.

    1. Re:No thanks to free stuff by Tukz · · Score: 2

      Valve is basically funding DXVK, a low-level Vulcan based translation layer for Direct3D 10/11.

      Their work with Proton (Steam version of Wine) is amazing and they have made amazing progress the last few months. Thousands of games are now available through "Steam Play" via Proton and DXVK.

      Valve isn't making any of those "hentai dating sim visual novels" you speak of.

      --
      - Don't do what I do, it's probably not healthy nor safe. -
  2. Did he get any keys as a reward? by Only+Time+Will+Tell · · Score: 2

    I wonder if Steam tossed any free keys his way for the heads up about this hole. I did see he got $20K for this effort, which would buy a lot of games of Civilization!

  3. Re:But without auditing? by MrL0G1C · · Score: 3, Insightful

    A criminal would grab thousands of keys for full price AAA titles and sell them on grey market sites for a quick profit, they wouldn't care if the keys got revoked after an audit.

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.