Adding infinite funds to your Steam wallet - $7,500 bug bounty report

Подписаться 54 тыс.

Просмотров 31 тыс.

50% 1

🧪 Get access to hands-on labs: bbre.dev/premium
✉️ Sign up for the mailing list: bbre.dev/nl
📣 Follow me on Twitter: bbre.dev/tw
This video is an explanation of $7,500 vulnerability reported to Valve bug bounty program. The bug allowed adding infinite funds to user's Steam account by exploiting a flaw in the integration of Steam with Smart2Pay.
✉️ Sign up for the mailing list ✉️
mailing.bugbountyexplained.com/
🖥 Get $100 in credits for Digital Ocean 🖥
m.do.co/c/cc700f81d215
Report:
hackerone.com/reports/1295844
Reporter's hackerone profile:
hackerone.com/drbrix
Follow me on twitter:
/ gregxsunday
Timestamps:
00:00 Intro
00:33 The flow of adding funds to Steam account
04:36 Constructing the signature
05:30 The exploit
07:52 How to access hands-on labs?

Наука

Опубликовано:

4 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 79

@windwest720 2 года назад

No one will report such a vuln for just $7500 on steam, Gabe Nice Job.

@hugohabicht6274 2 года назад

7.5k$ seems very low for this vulnerability.... That guy could have used it to generate millions, then bought csgo skins and could have cashed them out on a third party site into real money....

@ABEL85ky 2 года назад

I was just thinking the same thing. A 7,500 dollar payout for a bug that could've costed steam millions.

@pinguluk1 2 года назад

He would have been sued for sure if he would have do that

@fedemolto 2 года назад

Great video, i think US$7.500 is a cheap reward for the magnitude of the vulnerability.

@youcefkel4743 2 года назад

exactly what i was thinking man . ppl got 30000$ for admin account takeover . how is this getting 7500 only ? steam is cheap as hell

@eggman2543 2 года назад

They will learn , when someone sell the vulnerability in dark web for thousands of dollar

@soksamnang2150 2 года назад

@@eggman2543 that when they get in to trouble do not mess in dark web if you think in long term

@rainsharpay4090 2 года назад

@@soksamnang2150 ss

@elnur0047 2 года назад

this will hurt steam in a long run I think, dude only got 7500$ for an exploit that literally steals money, next one won't be reported

@Bleudog Год назад

What a simple but brilliant approach. Great explanation.

@Umar0x01 2 года назад

woah so cool, thanks for the detailed explanation!

@-bubby9633 2 года назад

Haha what a fantastic clever bug! Such a little change yet big impact. Really shows the importance of reading docs for third party software incorporated by your target.

@yashwanthd1998 2 года назад

Great explanation.some serious logical thinking by the researcher

@villandoom 2 года назад

So he had the ability to get unlimited funds on the biggest game platform in the industry and he sold the ability for 7500

@tmayonovki 9 месяцев назад

big brains bro... good job great explanation

@BugBountyReportsExplained 2 года назад

Hello! Welcome to the comment section. If you want to get access to hands-on labs, along with many other benefits of BBRE Premium, click here: premium.bugbountyexplained.com/ To get 25% off, use the code AMOUNT100

@J0R1AN 2 года назад

Very interesting, but how did the researcher know that the hash was being generated by concatenating the parameters and values? You said steam was not open source, and you also wouldn't be able to test possibilities to see if the match because you don't have secret key

@BugBountyReportsExplained 2 года назад

Steam is not but some plugins to Smart2Pay are available on GitHub. For example, when preparing to this video, I was reading this project: github.com/Smart2Pay/opencart1564 Funny thing I've noticed in this outdated one: github.com/Smart2Pay/magento Here, the hash was generated without any secret😂

@J0R1AN 2 года назад

@@BugBountyReportsExplained Oh cool, makes sense. Thanks for the info

@emadeddin_ 2 года назад

@@J0R1AN Interesting thinking, well done..

@linuxuser5505 2 года назад

How to start on bug hunting? What do I need to learn/skills that I need? For example, Google opened a bug bounty program for Android 12 on Pixel 5, 4, 4A, 3 device, etc. Do I need to buy the phone to perform the pentest? Is pentesting similar to bug hunting? Edit : and the tools?

@BugBountyReportsExplained 2 года назад

start learning with portswigger's websec academy. Don't worry about mobiles yet. pentesting is somewhat similar to bug bounty. learn burp suite

@OthmanAlikhan Год назад

Thanks for the video =)

@_bergee_ 2 года назад

Nie spodziewałem się, że jesteś moim krajanem :) Świetna robota!!!

@BugBountyReportsExplained 2 года назад

Pozdrawiam!

@stefanjia8387 2 года назад

Nice found. It seems that Steam does not take care about security, how can they just pay 7500 for this bug?

@matthewzamat3331 Год назад

Ha. Genius. Thanks for sharing

@0xx039 2 года назад

Wondering how the researcher figured the hash....Great video.

@BugBountyReportsExplained 2 года назад

I was wondering, too. I can't say for him but when preparing to this video, I was looking at the source code of signature generation from one of the open source Magento plugins for Smart2Pay: github.com/Smart2Pay/opencart20/blob/master/catalog/controller/payment/smart2pay.php#L518 The link leads to the line where the signature is created and above is the for loop that splits the body by & and = and concatenates.

@jw0725 2 года назад

Btw this doesn’t work. It’s just a scam

@Explorerhabib 2 года назад

Great bruh

@hdphoenix29 2 года назад

Excellent

@javohir307 2 года назад

Isn't 7500$ very less for this bug ?? What do you think ?

@BugBountyReportsExplained 2 года назад

There's always this discussion. The bounty paid often doesn't equal potential losses for the company. But the sad truth is that looking from the program perspective if there are hunters who are willing to dedicate their time, knowing what bounty they will potentially get then payouts are enough. Basically hunters vote with their time if payouts are good enough or not.

@cybersecurity3523 2 года назад

Good bro

@ahmadshami5847 2 года назад

just great as always 👌👌👌. So it's basically like abusing an API to manipulate arguments like http content. I am actually trying to discover some bugs with mobile applications. But I am stuck at the point to what tools can analyse most of the protocols other than http interceptors like burp or zap. where can I find such tools and documentations of such tools?? cuz I think that most undiscovered bugs lie in those uncommon communication protocols (for example I know that WhatsApp for example uses a unique protocol created by the WhatsApp team, but don't know how to intercept it)

@BugBountyReportsExplained 2 года назад

you can use Wireshark to analyse traffic but I don't think you will be able to intercept it and modify in flight. It will be hard to find a tool ready for custom made protocol. You can also go the other way. Instead of intercepting the message after it leaves WhatsApp, try to attach to the application and modify messages like that. I'm not an expert when it comes to these things but tools that come to my mind for that would be frida or gdb

@ahmadshami5847 2 года назад

@@BugBountyReportsExplained yeah I actually heard once about frida in a conference talk, maybe it is the way to go. as completely reverse engineering a program to manipulate messages is still out of my league 😂. thanks bro and keep up the good work 👌👌

@BugBountyReportsExplained 2 года назад

@@ahmadshami5847 thanks mate, good luck with it

@hexadecimalhexadecimal5241 2 года назад

Out of technical curiosity...does anyone know if they can track the generated money where it went? or will they?

@BugBountyReportsExplained 2 года назад

The bug is fixed already.

@hexadecimalhexadecimal5241 2 года назад

@@BugBountyReportsExplained I know it is. I am very new to all of this and it makes not much sense to me, just wanted to know some very basic safeguards as to how a company can defend itself(back track bug etc).

@BugBountyReportsExplained 2 года назад

Ah, that's a good question then. They should have a way to track it. For one, they could compare the amounts of all completed transactions in the Steam's database and Smart2Pay's database. There might also be another, easier way for that - it depends on the specific logging of these transactions.

@avenue6427 2 года назад

🔥🔥🔥

@devsutong 2 года назад

simple yet critical 😅💔

@LiEnby Год назад

oof tfw you traded literally infinite money for $7500

@IanPlayzIDK 13 дней назад

how tf do i do this bro

@Dodo-rb4zf 2 года назад

That's why ppl fuck with websites and etc.... 7500$ from steam? Lol

@mnageh-bo1mm 2 года назад

Hey.... where do i suggest ideas ? There is a massive UPNP exploit that every one should know about but it's a bit complicated and not very new

@BugBountyReportsExplained 2 года назад

You can suggest here, on Twitter or via an email.

@mayoneznyk 11 месяцев назад

bro traded infinite money for literally nothing💀💀💀

@curated_euphoria_experience Год назад

7500???? 75k would have been meh.

@filcek5791 Год назад

But does that actilly work?

@BugBountyReportsExplained Год назад

If it did, it wouldn't be on YT

@mrbmbastic6655 5 месяцев назад

too little money for such a critical vulnerability

@peterchari3839 2 года назад

Great video. Its always a pleasure watching your videos. Bug hunting requires critical thinking or analysis of events. I'm looking for a mentor in this field. I completed my CEH practical last year but i guise there is a lot a i need to learn from experts

@bravo-6900 2 года назад

CEH is garbage man

@peterchari3839 2 года назад

@@bravo-6900I didn't get gud advice b4 i enrolled. Which one do you recommend.

@bravo-6900 2 года назад

@@peterchari3839 it depends but mostly oscp ,sans but not sure nowdays they seems lookin for projects ,bug report,any website or something to enhance your profile when you lookin for job.

@rainsharpay4090 2 года назад

@@peterchari3839 dd