Security flaw for unlimited Steam Wallet funds found, fixed

hacker leaning over a computer
This is in fact exactly what hacking looks like. (Image credit: Getty Images)

With the help of a security researcher, Valve has found and fixed an exploit that would have allowed a user to falsify the value of deposits to their Steam wallet. The exploit worked by—for example—turning a $1 deposit into a $100 deposit. It was accomplished by changing the account's email address to one including "amount100," then intercepting a message to a payment company API. 

The writeup for the hack was posted on white-hat hacking bug bounty site HackerOne by the handle drbrix. Valve and drbrix later made the exchange public, once a fix was implemented. Drbrix first posted the bug as "medium" priority, saying "I think impact is pretty obvious, attacker can generate money and break steam market, sell game keys for cheap etc."

Valve, after testing the exploit and trying a fix, subsequently upgraded the bug to "Critical" severity and the corresponding payout to $7,500 USD "reflecting the potential cost to the business." 

"We hope to hear more from you in the future," the Valve staff said. 

Yes, I'm sure they would.

Valve told The Daily Swig that "Thanks to the person who reported this bug we were able to work with the payment provider to resolve the issues without any impact on customers." Valve did not say whether anyone had actually abused the potential exploit.

TOPICS
Contributor

Jon Bolding is a games writer and critic with an extensive background in strategy games. When he's not on his PC, he can be found playing every tabletop game under the sun.

Read more
Steam logo
A web3 free-to-play survival game found to be a front for installing malware on your PC has finally been removed from Steam
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Valve logo with a man with a steam valve for an eye.
Valve's DRM was inspired by an exec's nephew, who 'used a $500 check I'd sent him for school expenses and bought himself a CD-ROM replicator… he sent me a lovely thank you note'
A Path of Exile 2 sorceress casting flaming skulls in a hellish landscape
'We are incredibly sorry': Path of Exile 2 devs apologise for data breach that saw 66 accounts snatched and personal info potentially stolen
Path of Exile 2 early access class key art
Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug
Money money money.
Valve tracked 1.7 million Steam users who joined in 2023 to see if they stuck around—they did, and they spent $93 million
Latest in Platforms
A screenshot from game Mudborne of a little humanoid frog in a marsh
Five new Steam games you probably missed (March 24, 2025)
midnight murder club
Five new Steam games you probably missed (March 17, 2025)
Screenshot of Children of Clay showing a mysterious clay model
Five new Steam games you probably missed (March 10, 2025)
discord
Brace yourself for Discord to get worse: Reports swirl that the company is in talks with bankers about opening itself up to shareholders
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.
Steam users react ecstatically to update that lets them access their heaving game notes via the web, also it fixes Monster Hunter Wilds video recording
HasanAbi
Twitch streamer Hasan Piker suspended after saying Republicans would 'kill Rick Scott' if they really cared about Medicare fraud
Latest in News
A mech awakens.
Mecha Break developer is considering unlocking all mechs following open beta feedback
Lara Croft Unified Art
Tomb Raider developer Crystal Dynamics lays off 17 employees 'to better align our current business needs and the studio's future success'
A long bendy arm stealing money from people in a subway car
'You're a very long arm. You steal things. It's a comedy game,' explains developer of comedy game where you steal things with a very long arm
The heroes are attacked by monsters
Pillars of Eternity is getting turn-based combat to mark its 10th anniversary, and that means PC Gamer editors will soon be arguing about combat mechanics again
Image of Ronaldo from Fatal Fury: City of the Wolves trailer
It doesn't really make sense that soccer star Ronaldo is now a Fatal Fury character, but if you follow the money you can see how it happened
Junah beginning a battle in Metaphor: ReFantazio.
Today's RPG fans are 'very sensitive to feeling like they wasted time' when they die, says Metaphor: ReFantazio battle planner—but Atlus still made combat hard anyway