back to article I found a security hole in Steam that gave me every game's license keys and all I got was this... oh nice: $20,000

A bloke has told how he discovered a bug in Valve's Steam marketplace that could have been exploited by thieves to steal game license keys and play pirated titles. Researcher Artem Moskowsky told The Register earlier this week that he stumbled across the vulnerability – which earned him a $20,000 bug bounty for reporting it – …

  1. Spamfast
    Facepalm

    What century is this?!

    SQL injection bug

    Any web developer who is still concatenating GET/POST strings onto SQL queries should be taken around the back of the barn and humanely put out of our misery.

    Variable binding, dolts!

    1. Anonymous Coward
      Anonymous Coward

      Re: What century is this?!

      Yes, I have a bunch of colleagues who do this. One left before I joined, fortunately. On the other hand: there is no way currently to directly pass arbitrary values to the dynamic SQL code, so we are (for now) safe.

      And the horror I have seen in the code... and the database schema - basically there is no organised schema and it is not relational - not a single key (and no foreign keys) at all.

      1. Spamfast

        Re: What century is this?!

        And the horror I have seen in the code... and the database schema - basically there is no organised schema and it is not relational - not a single key (and no foreign keys) at all.

        Ask a web developer what a normal form is and he'll tell you it has input fields.

        1. Danny 14

          Re: What century is this?!

          i inherited a lot of "select * from table where thing = '" + strinput + "'" in an aspx intranet. I was bloody frightening they hadnt been hit before. Idiots.

          1. John G Imrie

            Re: What century is this?!

            i inherited a lot of "select * from table where thing = '" + strinput + "'" in an aspx intranet. I was bloody frightening they hadnt been hit before. Idiots.

            But try getting a) budget or b) time from Management to fix this stuff, you'll get the 'it works so don't touch it' excuse.

    2. cat_mara
      Unhappy

      Re: What century is this?!

      Being Irish, I sometimes hear friends saying, "well, I tried to sign up to [site] the other day but it didn't work. I wonder what's up." A moment later I twig their surname is O'Connor or O'Brien or something and they've probably just inadvertently SQL-injected the sign-up page and I smile a little. A moment after em I realise a) this is the 21st bloody century and why are there still SQL injection attacks, and b) sometimes it's an Irish site. Then I have to go somewhere quiet for a bit until the urge to break things subsides

      1. }{amis}{
        FAIL

        Re: What century is this?!

        A years ago I was working for a small software company that made most of its money peddling web stores to small mom and pop type companies the e-store code was an in-house POS classic asp based monstrosity that every time we got a new customer would be copied from the last.

        As you would expect in this scenario it was a total mess of ancient spaghetti code and then one day we woke up to find one of the customers had been hit by an automatic SQL injection script and was now trying to download a bunch of malware to anyone who viewed the site.

        This obviously needed a fix, so a proper fix would be to go through every place in the code where a variable was incoming and do a proper validation.

        But that was far too expensive for the boss when you take into account we were at that point managing ~30 of these messes all with slightly different code for each customer.

        So the "genius" fix the boss came up with was to look at all incoming data from the browser the global.asax file and if it saw a single quote or a semicolon it would stop processing the request.

        making it impossible to receive any business from any O'leary or the like.

        1. Anonymous Coward
          Anonymous Coward

          Re: What century is this?!

          "making it impossible to receive any business from any O'leary or the like."

          #ChequersBrexit

    3. RyokuMas
      Coat

      Re: What century is this?!

      It would seem that Steam is as good at ensuring the security of its website as it is at curating the majority of the "games" that one obtains there.

    4. Anonymous Coward
      Anonymous Coward

      Re: What century is this?!

      Downvoted for naively assuming that string concatenation is the only SQL injection vector.

      It is not ignorance, it is arrogance that always gets you, so you might want to wind your neck in.

  2. Anonymous Coward
    Anonymous Coward

    Tsk tsk tsk

    How are we ever going to do away with the idea of intellectual property as unenforceable, if people play nice with the bug bounties. We stand to gain a lot more by Mass non-compliance. People will still program out of passion and share out of a desire to show off. If you think about how much combined value there is available to everybody in a world where intellectual property is no longer a legal concept, it seems naive and cool Hardy to support such things went in the end you're losing access to more than that 20, 000 could have ever boughten. And then multiply that by Everybody who might ever have an interest in something currently protected by IP law. Elimination of intellectual property law equals life upgrade for the entire world

    1. Spamfast

      Re: Tsk tsk tsk

      How are we ever going to do away with the idea of intellectual property as unenforceable, if people play nice with the bug bounties. We stand to gain a lot more by Mass non-compliance. People will still program out of passion and share out of a desire to show off. If you think about how much combined value there is available to everybody in a world where intellectual property is no longer a legal concept, it seems naive and cool Hardy to support such things went in the end you're losing access to more than that 20, 000 could have ever boughten. And then multiply that by Everybody who might ever have an interest in something currently protected by IP law. Elimination of intellectual property law equals life upgrade for the entire world

      Don't necessarily disagree because I can't follow this at all.

      Please edit it into something vaguely comprehensible and grammatically correct. (Maybe lay off the sauce first?)

      1. FlamingDeath Silver badge

        Re: Tsk tsk tsk

        I understood what was written, let me simplify it for you all

        sharing is caring

        You're welcome

    2. Anonymous Coward
      Anonymous Coward

      Re: Tsk tsk tsk

      Is this encrypted?

      :)

      1. Throatwarbler Mangrove Silver badge
        Alien

        Re: Tsk tsk tsk

        Message received. The wet bird flies at midnight.

        1. JimboSmith Silver badge

          Re: Tsk tsk tsk

          Allo Nighthawk Allo Nighthawk I have a massage to piss to you from Michelle.

          1. FozzyBear
            Happy

            Re: Tsk tsk tsk

            @ JimboSmith

            Listen very carefully. I shall say this only once.

    3. Brewster's Angle Grinder Silver badge

      Re: Tsk tsk tsk

      If you think the likes of Portal 2 is going to be written by people in their spare time, then think again.

      Perhaps---perhaps---if we switched to UBI then abolition of copyright would be viable.

    4. Pascal Monett Silver badge

      Re: People will [..] share out of a desire to show off

      You live in a sad world. Thankfully, it is not mine.

      1. Danny 14

        Re: People will [..] share out of a desire to show off

        i have a feeling most people on steam arent programming out of passion but out of a desire to pay the bills.

        1. veti Silver badge

          Re: People will [..] share out of a desire to show off

          Some people will share to show off, sure.

          But if you ever again want to have access to software that's been developed by a team of more than three people, that's not going to cut it. Many/most coders enjoy the process of creation, quite a few even like design. But very few enjoy rigorous testing and debugging, and even fewer believe in documentation. And as for project management - it's hard enough to get people to do that when you are paying them...

    5. JLV
      Flame

      Re: Tsk tsk tsk

      A joke, right? Frankly, people like you are an excuse for politicians to enact stupid, lobbyist-friendly, laws and do a disservice to open source.

    6. cray74

      Re: Tsk tsk tsk

      Elimination of intellectual property law equals life upgrade for the entire world

      Or quick development of coercive monopolies. If you take regulations out of the picture, then historically the groups that tend to profit the most are those who have lots of money and legal clout to make their own rules.

      1. Prst. V.Jeltz Silver badge

        Re: Tsk tsk tsk

        "those who have lots of money and legal clout "

        depends , sometimes its weapons and manpower

    7. tim 13

      Re: Tsk tsk tsk

      Don't worry about paying for food, people will still grow it out of passion and share out of a desire to show off.

      1. JLV

        Re: Tsk tsk tsk

        +1

        Not to mention that games, or at least a significant subset of them, sit in a massive blind spot for open source, by nature.

        Many of our favorite games involve the element of surprise and discovery. How will you be surprised, as a player, if the underlying economic model depends solely on the, otherwise very successful, notion of user-contributors? It can work, very well, for game engines. But not for game content where users need to be dissociated from creators.

        Fail, edris90, fail.

  3. Anonymous Coward
    Anonymous Coward

    Not bad for an hour's work.

  4. adraj522

    People expect more than what they get.

  5. Anonymous Coward
    Anonymous Coward

    $20,000

    Store credit!

  6. Siberian Hamster

    The Fallen Madonna with the Big Boobies

    So just for this one guy's input Valve have paid out on two bounties totalling £45k, I can't help but wonder a few things...

    Why aren't they just employing a couple of staff to be full time pen testers, surely it's the cheaper option?

    While this bounty program is in place I would be worried that any internal staff of questionable morals coming across a bug would, rather than fixing said bug would look to strike a deal with an external pen tester to share a bounty.

    Sorry for calling you Shirley.

    1. Zippy´s Sausage Factory

      Re: The Fallen Madonna with the Big Boobies

      If you employ people to be full time pen testers, they will automate things to make their lives easier. They will write scripts. They will become complacent. Not a complaint, just human nature.

      Many eyes make bugs shallow.

      This is why you employ a pro to review new services before you launch them, then you cheerfully part company, they go do the same thing elsewhere and learn new stuff, and you hire them again for a bit when you launch a new service.

      It sounds to me like Steam probably did as much as they could at launch, then left it. Then when bug bounties come up, they're saying "thank you very much" and paying up. Which is as it should be.

    2. Prst. V.Jeltz Silver badge

      Re: The Fallen Madonna with the Big Boobies

      While this bounty program is in place I would be worried that any internal staff of questionable morals coming across a bug would, rather than fixing said bug would look to strike a deal with an external pen tester to share a bounty.

      maybe the bounty comes from whichever programming team is reponsible's wages!

  7. adam payne

    Sometime I wonder about Steam and it's security.

    I can remember the Steam Guard bug where you could enter anything and it would let you login.

  8. Les Matthew
    Flame

    "Sorry kids, it was patched weeks ago by Valve"

    Thank you for holding the readership in such high regard.

    1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

      Re: "Sorry kids, it was patched weeks ago by Valve"

      Thank you for holding the readership in such high regard.

      You saw the post above by edris90, right? While generally incomprehensible, it does indicate that were this bug made public before it was fixed, this person would have done all they could to exploit it as fully as possible. Sadly Les, just because someone reads The Register, it doesn't automatically make them a decent, upstanding human being.

  9. FlamingDeath Silver badge
    1. Anonymous Coward
      Anonymous Coward

      Except the guy who exploited the bugs and got the free keys then reported it to Vavle of course...

  10. Anonymous Coward
    Anonymous Coward

    Video games have no inherent value, like art. And so rely on patronage. People don't purchase a video game versus pirate it because they are afraidof the law. They do it to invest in the artists(development team) to make new things in the future because they want to see more created by this artist(development team).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like