[adrotate group = “15”]
A security researcher named drbrix at Hackerone found an exploit in Valve’s Steam Wallet system, according to a report by Kotaku.
The exploit in question was very specific, requiring the user to change their email to include “amount100” and use a Smart2Pay payment method. However, if done correctly, users would be able to add funds to their account of any amount, intercept the POST request, and add value to the Steam Wallet. This would mean that malicious actors could in theory receive free games and sell Steam Keys at lower than market value. The full description can be read here.
It was first reported to Valve on August 9th, and then made public on August 10th. Valve has since fixed the exploit and paid drbrix $7500 for reporting the issue.
It is not uncommon for companies to pay those who find exploits in their systems. In many cases, these hacks could lead to large loss of data, revenue, etc. that would incur much larger payments than this small compensation.