Steam Bug Exposed Activation Keys for Any Game

By Riley ThompsonTechnology News

Steam Bug Allowed Access to Any Game’s Activation Keys

Ukrainian cybersecurity researcher Artem Moskowsky revealed a vulnerability in the Steamworks platform, which is designed for developers working with Steam. The flaw allowed anyone to obtain all activation keys (CD-keys) for any game listed on Steam.

How the Vulnerability Worked

The researcher discovered the issue in the API at partner.steamgames.com/partnercdkeys/assignkeys/. This API gives developers and other authorized parties access to a game’s CD-keys, which users can use to activate products on Steam.

Surprisingly, this API was also accessible to regular Steam accounts and worked with several parameters, the most important being appid (game ID), keyid (CD-key set identifier), and keycount (the number of keys Steam should return in a CD-key set).

Normally, trying to extract activation keys for a game you don’t own should result in an error from the API. However, Moskowsky found that by setting the keycount parameter to “0,” he could bypass restrictions and download a file containing all activation keys for any game.

Potential Impact and Discovery

Moskowsky told ZDNet that during his research, he was able to generate and download over 36,000 CD-keys for the game Portal 2. Even worse, he realized that a potential attacker could simply iterate through the IDs of different games on Steam and sequentially download all activation keys, since finding the correct appid and keyid was not difficult.

Valve’s Response and Researcher’s Reward

Back in August of that year, Moskowsky reported the vulnerability to Valve’s engineers through the official bug bounty program on HackerOne. The bug was fixed within a few days, and the researcher received a reward of $20,000. However, he was only recently allowed to publicly disclose his findings.

This is one of the largest rewards Valve has ever paid, but it’s not the first major bug Moskowsky has found. Earlier that summer, he discovered that Steamworks was vulnerable to SQL injection attacks, earning him $25,000. Moskowsky also told reporters that he previously found vulnerabilities in the ViaBTC mining pool (reward: $18,000) and in Samsung products (reward: $13,300).

Leave a Reply