Valve patches 'infinite money' Steam client bug

[HEXUS]

The researcher who discovered the bug has been awarded a US$7,500 bounty.

Read more.

[AnonAnon]

It's simple enough to exploit but that seems like a Smart2Pay bug rather than a Steam bug.

[Fizzl]

The user would then have to intercept the corresponding POST request to the Smart2Pay API, where they could edit the credit amount up to $100.

Step 4 sounds a bit technical, and I'm not sure how simple it would have been to execute.

Quite easy really. I'm more impressed by them working out the validations checks would be passed by putting the token somewhere else. Something I've seen before though, the mistake might be something like there are two independent checks
"Is the item code present" it finds a valid value then stops searching.
"is the messaged signed and valid". It goes to the bottom of the message, skipping over the real item code and reads a valid signature.
As a result it reports the transaction is good for up to $100 when it was only worth 1$

As for step 4 you can do that yourself.

Grab Firefox, Grab Burp Suit (or some other interception proxy). Point Firefox proxy at Burp, add the Burp certificate to Firefox. You can now view and edit all your traffic. Same principle can be applied to any browser, game or the steam client itself.

[Tunnah]

It's simple enough to exploit but that seems like a Smart2Pay bug rather than a Steam bug.

It's a bug in how Steam processes Smart2Pay transactions.

[sjaxkingpin187]

Surprised that wasn't worth more than $7500 to them.