A US hacker has been awarded a sum of $7500 as bounty for reporting a critical security flaw in payment platform Valve. Interestingly, the hacker had stumbled upon that very flaw, which allowed rake in unlimited funds to his Steam wallet. Following this, he came forward and reported the exploit, leading to a cash reward for his honesty.
A Platform For “Honest” Hackers
The hacker had come across the exploit, which helped him generate the funds for his Steam wallet, and that too, without having to pay the full fees for the same. He then explained the hacking process on online forum Hacker One, saying that all that was required a mail address linked to a valid Steam account. The mail address had to have the term “amount” included in it, followed by a series of numbers. The number that came after “amount” referred to the amount of money that would be deposited into the wallet of that very Steam account. So, the term “amount5000” would elicit a transaction of $5000, to be fair.
Once the email address was registered, a payment of $1would have to be initiated to allow for the specified funds to be delivered to that account. The hacker even went as far as to execute the whole process, the success of which only proved his theories and calculations.
The hacker in question is Drbrix, a hacker-cum-security researcher on Hacker One, which helps companies like Valve learn more about exploits, hacks, and breaches on their websites, apps and the like, by connecting them with hackers like Drbrix who “tinker around” on such platforms in a bid to unveil such flaws. The companies, in return, may provide them with cash rewards for their help.
A Small Price For A Major Help?
The exploit apparently worked through a flaw in the payment methods on the platform’s Smart2Pay system. The issue has since been patched up by Valve (as it should have been). The company has even reached out to the hacker to express gratitude for the honesty, and have offered to reward him with a cash bounty of $7500 as a way of thanking him. A Valve rep named JonP has also said that Drbrix’s explanation was “clearly written,” and helped them identify the risk quickly.
While the hacker deserves props for bringing the issue to light instead of using the same for his own benefit, the reward offered by Valve seems a little measly when one considers the losses Valve would have had to incur, had the flaw gone public.